HITT- HIPAA and CMMC Compliance Opportunities for Cybersecurity Revenue

I am excited to introduce Sumera Riaz, our VP of cybersecurity, and Trevor Burnside, solution architect for cybersecurity today because they’re about to show you how two massive regulatory shifts have created your next eighteen months of compliance revenue. Sumera and Trevor, thank you so much for being here again. I will hand it off to you.

Hey, guys. Good to be here with you all today. Thanks, Cass. So I’m super excited to bring this next thirty minutes to you because we’re gonna dive into the world of governance, risk, and compliance.

It might sound boring, but hang in there with me because it’s so not boring. This is GRCs actually the backbone of every single company out there. Every client you have, governance risk compliance is how the company operates, and security is kinda woven in right into it all. So this is, I know, like, a lot of times, I describe security as a diamond.

It has so many facets to it, but it’s this one thing, and GRC is the heart of that one thing. It’s how, security controls and different solutions and basically the whole security, the diamond comes about. It’s the foundation is GRC. So we’re gonna gonna give you a little teaser and overview into what is GRC, and then we’re gonna really dive into HIPAA and then CMMC after that.

Because there are great opportunities this year that you can win on these two compliances alone.

So moving right along. And if you guys have sold into HIPAA or CMMC, throw that in the chat. Let us know, like, if you’re talking to your clients today about HIPAA, about CMMC opportunities today. So part one, let’s go through GRC and then HIPAA, and then we’ll end with CMMC, and then we’ll just pull it all together and give you a cool playbook.

Alright. So GRC basically, what GRC is in one sentence, GRC is how government how an organization decide what looks good. So last week, I I was I took PTO last week to move. I moved from one house to another, and anybody on the call today who has moved can feel my pain.

So in the new house now, I’ve already shifted. Everything in the new house is in boxes. I can’t find cords, wires, remote controls. I mean, it’s it’s a mess.

But if I had good governance in place, I would have a spot where everything went. Right? That’s basically what governance is. It’s creating organization out of chaos.

So in a company, a governance would look like, hey.

This is our policies. They go here. These are the controls. They go here. This is our CRM, our CRM tooling.

They go here. So it’s basically an an organized space, if you will. Everything has a has a spot. It’s because you wanna be able to quickly check those controls and make sure you are compliant.

So governance and compliance kinda go hand in hand. Governance is this is what looks good, and then compliance is are you following what actually looks good. So a lot of times, when I build up my security plans, my security strategies from a CISO, I would reverse engineer in. So I’ll say, okay.

What what compliances does my company today have has to follow? It’s HIPAA, GDPR, CMMC, whatever that is, those are my those are my foundation. Right? Compliance first, and then the controls that are in each of the compliance that builds my governance plan, and that then highlights what risks I have today.

So it’s, it’s beautiful when it all pulls together. And maybe in the next session we have together, I’ll show you kind of my actual security plan, what it looked like when I built it out using these three as the foundation.

So GRC, it drives security sales because clients, as you know, rarely buy security because it’s the right thing to do. They buy it because there’s a deadline. They buy it because there’s been a ransom event. There’s been a breach.

So GRC, is a big driver for security sales. There’s revenue at stake. There’s trust is a big differentiator. Right?

At and T recently was hacked. I mean, they’ve been hacked almost every year, and I say that jokingly. But over forty four what was it, Trevor? Like, over forty million, accounts were exposed to the dark web, data.

You know, just trust as far as privacy of folks goes is a big big thing, and GRC helps protect that. So trust as a differentiator, a compliance story, it wins deals with competitors. Penalty avoidance. When I lived in Europe, Bayer, they are a big pharma company.

They make aspirin and all these things. There’s, like, a there’s penalties associated, right, with GDPR and all that. And I remember one year, we had to pay a fine for GDPR upwards of twenty five million euros because we missed one little thing. So penalty avoidance is huge, and compliance is, you know, is kind of the key for that.

Deadlines. Government deadlines, they create urgency. Just, you know, as you can see right now, for those of you who are selling into CMMC, there’s a major deadline coming up, and a lot of companies are behind. So, yes, that is a revenue generator.

But on the other side, it’s so important for these companies to become compliant, and they need your help to get there just to stay just to keep their lights on. So it’s a huge opportunity there.

So this is a risk mapping exercise. Right? Don’t get overwhelmed by all the words on here. What I’m going to help you do is just kinda empty all these out, like, just blank send you, like, a blank slide like this, and you can do this exercise with your clients.

So what basically it’s a risk map exercise, and what you would do is, like, what are the top five investments that your clients have today? Right? You would walk this you would walk this through with your client, or Trevor and I are on our SE team can jump on the call and do this with you and your clients where you we put in their top five investments when it comes to security, and what are their top five business risks, and see if their investments align with the risks they have today. So for example, on this slide, couple of things the clients miss.

Right? So firewall and perimeter, but third party vendor compromise. They have nothing for third party vendor compromise. So that’s a huge opportunity.

They need a they need a TPRM solution in place. And we have providers that can you can bring in and say, we can fill this gap for you right here. Security ops center, those are controls that are in controls that are in almost every compliance. There has to be a twenty four by seven eyes on glass, a SOC security ops center.

And that right there is a regulatory breach, like, right off the bat. So these are quick wins that if you do this exercise with your clients, you can find these quick wins, and then that becomes a revenue conversation. And, again, you don’t have to do this alone. We’re happy to help you, and we’re happy to do it with you.

Yeah. I like this. It’s a good visual representation and simplification of what the process of risk management is, right, of of what’s what’s the biggest risk to our business, and how are we gonna mitigate those risks or or address those risks in some way? Right?

This is, again, a kind of an oversimplification, but a really good way to visually show clients that, hey. You may not be completely addressing the biggest risk to your business. Like You know, email security, obviously. You know, phishing attacks are are remain number one.

If they don’t have email security, you know, you get you’re looking at some of the biggest risk and not addressing that. There there’s not a good reason not to. So even if they you’re working in industries that are not regulated or customers that, you know, don’t have real high regulation or compliance, they still have to address their risk.

Yeah. Especially right now with AI powered phishing attacks or not just phishing, but AI powered attacks. I mean, we Meta AI got hacked this this last few days. Right?

These the attacks that are coming in with AI, twelve hundred and sixty one thousand two hundred and sixty five percent more than last year. That is a huge number. Like, that’s how in just six not even five months, the attack vectors that were the attack percentages like, last year, we had, you know, forty two percent higher attacks than we did the year before. But this year, just in five months, the stats now show twelve hundred and sixty five percent hike. We had at one point, we had, eleven companies in breach at the same time through one of the partners had called me and said, I’ve got eleven companies in a breach right now because of AI.

So AI isn’t bad. It’s the people bad people operating AI is bad. Right? So but these investments are supposed to protect the company against these risks. And if they don’t have the right investments, they’re not gonna be protected. So and that’s where you guys come in to help align the right investments to the right risks so they can have proper protection in place for their companies.

Two regulations that we’re gonna talk about in a second, HIPAA CMC, they’re forcing clients off the fence to buy because of these deadlines. So without further ado, let’s dive right into it. HIPAA, start with HIPAA. It’s the first, it’s rebuilt for twenty twenty six.

The first security rule, the first major overhaul of HIPAA was twenty thirteen, almost ten years ago. And there were operational there are optional controls in there for the HIPAA to be compliant with HIPAA that are now mandatory or about to become mandatory. So, Trevor, I’m gonna give you the mic. Who does HIPAA apply?

What is HIPAA and what is who does it apply to?

So when you look at HIPAA as well as CMMC, you have to look at the data that it’s protecting. And HIPAA is around PHI or personal health information and or ePHI or electronic personal health information. That’s what it’s built around. That’s what it’s designed to protect. It’s designed to protect people as well as the data that that they have. Right? In this case, medical data, personal health information.

The I’ve been talking a lot about this. A lot of people have been asking me what yeah. I’ve been seeing all these changes. Everyone talks about there’s gonna be changes.

A lot of it is, hey. What what was essentially recommended is now going to be required. So to your point earlier, you know, there’s there’s a lot of, hey. In certain situations, you don’t have to do this.

You don’t have to encrypt this traffic, but now you may have to.

Okay.

So HIPAA applies really to any business organization that is touching PHI or EPHI. So if you’re if you’re a clinic, if you’re, you know, even an MSP that is now, you know, hosting data for ePHI data, you know, they also are now going to be part of that perimeter, we would call it, right, that that data perimeter. So Yeah. There’s a lot of already, we have vendors that are gonna they say, oh, our services are HIPAA compliant.

Right? Because that means you can use PHI data with their system safely, and they can be part of that PHI perimeter. Yep. But that’s essentially what that means.

Yeah. No. That’s perfect. And the the Department of Health and Safety, Office of Civil Rights, they regulate HIPAA.

So it is a federal mandate, for any health care data to be for those, agencies to be HIPAA compliant. So what is the big shift, Trevor? What is changing with this year from what is addressable now becomes required? What does that mean?

Yeah. A lot of the, addressable stuff is like, hey. Discretionary. Maybe you can think of it that way of depending on the situation, maybe you don’t have to have MFA enabled or multifactor authentication. Depending on the situation, you know, this this network doesn’t touch the Internet, so we don’t have to encrypt it, you know, even though it has PHI data on it. You know, there there’s some gray areas that are no longer gonna be gray areas is a is a way to think of it. And some of these on the slide are showing what those are.

Yep. And these come up in audit. That’s how addressable and required is flagged. So when when HIPAA announces finally that this is gonna be the new law, this is what everybody has to follow now with health care, what happens is when it comes time to audit, it’s usually around August, they have a big check and they go through and it says, do you have MFA?

Yes or no or other. Right? That other where you can type in your justification. When I was a CISO, we were compliant with PCI, GDPR.

And when we when I filled out those audit forms, it would say, twenty four seven, you know, monitoring center. And if I don’t have a twenty four seven, I have to write in there why I don’t need it. Like, why is it justifiable? No.

That’s what’s addressable means. All but required is there’s no justification. You have to have it to be compliant. There’s just a yes or a no box.

There’s no type in your justification for why you don’t have it. You have to have it. If you don’t have it, you’re out of compliance. You gotta shut your doors.

That is the cost of not being compliant. The business shuts down. They cannot continue to operate as a business if they are not HIPAA compliant completely. So those those are the stakes. Right? Them are the stakes, people.

So so what are walk us through these six things that are that are gonna be required that are today just kind of addressable.

Yeah. Some of these are the basics. Right? Multi factor authentication. It’s been around a long time and something that is basically recommended by every framework that you can imagine to have it enabled on all the things.

Right? Turn on MFA for all the things. Now it’s gonna be required specifically on remote access, remote accessing systems that have EPHI, like an an EMR system or an e h you know, those systems that hold those data. It’s almost like a like, if you think of, like, a customer database, but it actually has patient data.

Right? That that’s an EHR.

Access to those will require MFA. Encryption of data both in REST and in transit. So if you’ve got a database that’s holding, you know, customer or patient data that has to now be encrypted in in REST as well as in transit. So if it’s going out, you know, it’s gotta be encrypted on its way out.

Yeah. You know who that’s who’s at risk for the encryption special for any of these six actually are the mid sized doctor offices. Like, large health care companies like insurance and hospitals and stuff, bailers of the world, they will probably be, you know, first to market and get this done because they have a lot at stake. But the the offices, like, I worry about that, like my doctor’s office, my dentist office, or, you know, the dermatologist.

Those are gonna be the guys that if you have those in your book of business, you need to get on the call with them and say, hey. This is about to become required. What are what is your plan here? What are you going to be doing?

And if you don’t if you don’t know, let me help you. Right? And network Great point. Yeah.

Yep.

I was just saying network segmentation falls right into that. Right? How many of those small clinics are flat networks that if you got in, you would be able to see everything. Right?

Yes.

It’s just not good practice. These are, again, fundamentals, basics. But even if you’re a small clinic, maybe it’s time to take a look and see if you know, do you need to bring in an MSS or an MSP or an MSSP to help with professional services or managed services to just make sure that they they’re going to be compliant.

Yeah.

Asset inventory mapping, even for small organizations, you gotta know what’s on the network. Right? You gotta be able to track, monitor, and be able to do patching, make sure that everything’s up to date.

You know, even for small clinics, it’s important. And there’s even you’re like, hey. There’s only ten people in this office. I guarantee there is an asset on the network that they don’t know about. It it just happens all the time. And It does.

Even for large even people that are doing asset inventory and management, there will be stuff on the network that they don’t know about.

For sure. Vulnerability schemes, pentesting, that’s that’s just mandatory Yeah. At this point. Yeah.

Yep. Exactly. We’ve I mean, HIPAA’s has recommended an annual pen test for health care provider or health care providers, clinics, and stuff now. Of course, that’s just enforcing that a little bit more.

And then also audit logging and vendor checks. So you can think about, like, a, you know, SIM or or security information event management systems. Those things are gonna now instead of just, hey. You really should have a SOC and a SIM. Now it’s gonna be, well, how are you auditing those logs if you’re not using a SIM? Maybe you should.

Maybe it’s time if you’re not to using one, even if you’re a small office

How are you gonna start doing auditing of those logs or be able to go back and audit logs? So Yes. It brings a lot into question. Right?

Yeah. It’s it’s manpower that they don’t have today. It’s people that they either need to hire or outsource. And we want them to be able to outsource because we know if they hire a staff, it’s a lean IT staff. There’s there’s not a way.

It’s just the regulations that are coming now, it’s very hard. It’s gonna be very hard for companies to manage it internally. They are gonna need to outsource. And that is good news for us in this world because that equates to MRR. Yay.

So there is good news in all of this.

Alright. Absolutely.

Yep. So No.

I think oh, go ahead.

Oh, I was gonna say, so let’s talk about the rule and the two hundred and forty day clock. What does that number mean?

So in January twenty twenty five, there was a proposed rule that was published. Right? Basically, what that means is the new changes that are coming with HIPAA, they were made known in January twenty twenty five.

HHS announced it, OCR backed them, that we’re gonna be making these conditional things. Now they’re gonna be required. March twenty twenty five, though that comment period, the objections and all that closed, and then final rule is expected any day now. So in, June, July, we’re gonna hear from HHS, and they’re gonna more than likely, there’s ninety nine percent, that rule is gonna be confirmed.

And all these the things that were optional at one point, now they’re gonna be required. And the only the the the hard thing is health care agencies, any any company that is under HIPAA right now only has two hundred and forty days for compliance. That is hundred and eighty days for them cells to comply, and then sixty for the vendor agreements. That is not enough time because and just you saw just six things on the last slide that those were just six of them.

There’s hundred and nineteen controls in HIPAA.

So there’s, I mean, there’s a lot that these companies are gonna need to need help with, especially assessments, gap assessments, risk assessments, HIPAA compliance assessments, and then fill those gaps within those two hundred forty days. So it’s a great opportunity for you guys to have these conversations starting now because that timeline is very small.

Yep.

And then what does it cost? Cost of inaction. If we don’t do anything and if we just you know, I love what you say. Security threw up security, Trevor. It’s like if we just ignore it all, not do anything, this is what it costs. That’s a lot.

And a lot of these, you know, previously, I’d say, like, smaller clinics and stuff that I’ve worked with have have, you know, not exactly been, you know, a hundred percent compliant, and they think we’re just too small.

Who’s even gonna, you know Yeah.

Come after us. Right? The OCR is not gonna come after we’re only five people in our office. We’re only ten people.

We’re only twenty. Some people only say, we’re only two hundred and fifty people. We’re pretty small. Right?

Part of this is actually more not just a a change of controls or enforcement of controls, but it’s also enforcement of the practice itself and that OCR is saying, we are going to start doing more penalties, and the penalties are gonna be greater for noncompliance than they have been in the past.

Yeah. Exactly. Fifty seven million just in last, just last year. Fifty seven million people, including that includes people on this call today.

That includes me. That includes you. We had our health data exposed through if you have Change Healthcare that was part of UnitedHealthcare, if you’ve ever had United or ever gone to a hospital that was United, your data was exposed in the last few years with the change health care breach that happened. And that’s I mean, that’s it’s fifty seven million people.

Right? Average cost of health care data breach is seven point four two million. That’s the average. And that doesn’t include the ransomware payment.

That doesn’t include the stock price dropping. That is just the average cost of a breach. It’s highest in any other industry. Finance industry, manufacturing, health care, breach costs are are the highest.

Right? Because it’s the the data at stake, it’s it’s for the attackers, for bad guys, the health care data is a money making because that data is critical to any of any nation state attackers. That that data is gold, basically.

So that’s why the breaches are very expensive.

Two point one nine million top tier HIPAA penalty. That’s where it’s that’s kind of the that’s what you’re looking at. Right? If a company is not compliant with HIPAA, when it comes the rules come out two million right off the bat. That’s a lot.

So those are just some some things to keep in mind as you go through and talk to your clients. So top three questions you can ask your clients now, discovery questions for HIPAA, stated right here. Trevor, do you wanna walk us through this?

Yeah. I was gonna say, Zachary Schechter said earlier, like, some of my clients that I have don’t think they’re they’re affected by this. Right? Well, the answer is what what data do you have?

What do you have even access to? Do you have access to PHI or or EPHI? So that first question, do you create, store, transmit health data for any client or even just host it? Are you are you is that hosting on your servers somewhere?

Are you, you know, a cloud provider or private cloud provider? If the answer is yes, then some of these controls are going to apply to you.

Second one, our encryption and multifactor authentication fully in place are still on the list.

I would say on the encryption side, I would I would bet that there’s still a lot that on data at rest or that they don’t have the full visibility. So there is a in that GRC kind of, initiative, there is a process or a a product called DSPM or data security posture management where you can get visibility to the data that is traversing on the network. And to really simplify or simplify it, you can say, alright. This is PHI data. Where is it going on my network? And does it touch anywhere that’s not encrypted? And if that’s the case, then we have to encrypt those, we have to block it so the data can’t go there, or we have to encrypt where it’s going.

So that there’s gonna be a lot there on the encryption side with clients of just data visibility and then being able to address address that because it’s gonna kind of come up in an audit if they don’t.

Yep. Exactly.

And then go ahead if you wanna do three.

Yeah. No. The these are really good. And then if a client asks you to prove your safeguards in writing tomorrow, could you do it? If that is a great question because the documentation now is gonna be, you know, the the new bar, basically.

Yeah. Like you said, out out of all those controls, a lot of this is policy controls. It has to be in writing. It has to be in process.

So while we can do a lot when it comes to email security encryption, multifactor authentication, there’s also a lot more that needs to be done on making sure they have a written policy in place and the technical writing is correct and that it can pass an audit. And that’s still where a lot of that our vendors can help from VC, so or professional services or the GRC as a service.

Yep. Exactly. And for you guys asking the sources, the general publications, I will post it in chat, in just a second so you can have those links available.

And, Arvind, yes, we have a list of providers that that are perfect for health care for this, and we’ll get we’ll we’ll that’s on the gonna be Telarus University, the cybersecurity landing page.

And, Chandler, Cass, if you can put a link to the landing page in here, you’re gonna find that data find that information on that page for all the health care. You can also access it to our hub as well if you just sort it by the compliance matrix, and it’ll pull up the list of providers that can support.

Alright. Next slide.

Let’s go into CMMC now. Right? We’ve kinda beaten down HIPAA providers provided in the hub, also on the cybersecurity landing page in the Telarus University. Now let’s look at CMMC, and that’s kind of exciting. And it because of the opportunity, and it’s for defense contractors. Basically, any company that’s handling data that’s critical to national security, that they have to be CMMC compliant.

The the companies already are gonna know who if they need to be or not. So that’s not something we have to worry about.

The companies, the clients know they who has to be and if they don’t have to be, basically. So, Trevor, walk us through just basics of high level, what is CMMC, and then who does it, who does it apply to?

Yeah. So it’s mostly for Department of Defense or Department of War, contractors that that were government agencies that are working with what again, we gotta follow the data, and the data that they’ve identified in CMMC or cybersecurity maturity model certification that’s protecting is what they call controlled unclassified information or CUI or some people call it CUI. I’m I’m not I’m not one of them, but some people do.

CUI, that is information that it’s unclassified, but if you you know, it it has some type of sensitivity to it that if you had a bunch of CUI or a bunch of, know, information put together, that could actually be actionable intelligence that could be used against the nation. So what CMMC is, if you wanna think of it from, like, a framework perspective, it’s built on, you know, NIST eight hundred one seven one, which is a hundred and ten security controls. It’s quite a bit.

But with some provisions, again, for specifically around CUI and handling CUI, storage of CUI, Very similar to PHI. Right? We gotta look at where the data is. Is it encrypted?

How is it being transmitted? How does it move in the network? A lot of similar kind of features when it comes to at least the comparison. But it’s completely different in nature and what that data actually is, and it’s different in the sense of the market that who actually needs it now.

So you would think you know, it’s easy to understand, okay, clinic, a health care provider, they have to have HIPAA compliance. CMMC compliance is a little different because that could be a lot of organizations. That that’s different industries even. It’s not just one industry.

Manufacturing actually is a big one for for CMMC where, hey. We make you know, we’re an HVAC vendor, but we also do HVAC for, you know, government installation sites. Or, hey. We make O rings, like rubber O rings. And by the way, one of the O rings we make goes on the f sixteen jet. Right?

It could it could be a lot of things. It means a lot of industries. If you have clients that are doing business with the federal government or the d o DOD, DOW Yeah. They are considering this. So you you gotta talk about it, and I would bring it up. How much of your business is with the government? If you wanna keep that business, you gotta start looking at what this means to you guys.

Exactly. So now the three levels of CMMC, the first level is foundational basic safeguards, annual self assessment.

But it’s moving to level two now. Right? So advanced is, where we are today. It’s third party assessed.

It’s not a self assessment. The self assessment is actually ending as of this year. So everybody who is CMMC today is gonna need to be third party assessed and certified. And then level three is gonna be level three is usually for, like, CMMC.

There’s a four and five level that you go to, and that is usually done by government. The government provides the software. The government provides the alcove where the, environment needs to rest in. Those are, completely kind of a separate deal. So right now, where we are at is this level two advance. Those are majority of your ICPs, ideal client profiles are gonna fall right here in level two.

And then what is the deadline? What is the phase rollout? What is the hype? What are we all talking about is this right here, the phase two. November tenth date twenty twenty six, that’s when the companies have to be compliant by. They that’s how long they have.

And interestingly enough, this next slide, this this speaks to why the urgency. Right? This is the why right here. There are over seventy six thousand companies that need the third party level two third party certifications.

As of early twenty twenty six, only eleven hundred of them have been have completed it and are now compliant. There are total of eighty three assessors companies, that firms, eighty three assessor firms that exist in the United States today to do this work, and it takes six to twelve months to prep for the assessment. So if you look at these numbers, the math, it sells itself.

Right?

The the amount that we need to get certified and the time and people to certify them, it’s, it’s just not enough. They these companies, what is going to happen if these folks, the the delta of these folks don’t get compliant, they’re gonna lose their projects. They’re gonna lose the bids that they have right now with the government. They will not have those contracts anymore.

That means loss of revenue for the company. That means some of them may even have to shut their doors if they don’t get compliant. That’s how serious this is. So speak talking to your clients now, you’re gonna be doing them a favor.

Right?

So three questions we have. Go ahead, Trevor.

I was gonna say to Chris is Philip’s question. So he said how many are ecosystem? I’m assuming he’s talking about those assessors. So we actually have a few. We have a lot of vendors that can help with these controls. There are we only have a couple actually that can do the actual audit or attestation or or actual certification.

But so wherever your customer is in that CMMC journey, we can help them, whether it’s I don’t know what I’m doing all the way to I’m ready to go. I need an audit.

Yep. Exactly. So two questions you can leave with right now. Do you hold, wait on bid, or duty contracts that involve sensitive information?

Most of them are gonna know this anyways. Are you still relying on self assessment, or have you booked a third party assessors? Which, by the way, we have, third party assessors within our provider network. So if you have a CMMC client that needs to be, compliant, but certified, please get in touch with us.

We can, register the deal, get you in touch with the providers who are, this third party c three PAO. And then another question to ask is, do you know your phase two date and how long will the certification take you? You already know the answer to this going in and asking them, but it’s just to make you know, bring that give them time to, like, yeah. It’s coming up.

Yeah. I gotta get this done. Can you help me do it? So and you have all the providers.

You have everything you need in a Telarus portfolio to help your clients get to that finish line. Just contact us. We’ll register a deal. We’ll get you in touch with, the assessors and the auditors.

And, yes, you can monetize on it.

So bringing it all together, one playbook, two deadlines. HIPAA and TMMC, they might look different on paper, but it’s the same talk track for both. And you all you gotta do is name the pressure, the dates, all the stats we’ve given you, qualify the scope, and sell the head start. Sell that so the selling point is gonna be this is happening in a few months.

You can, you know, be either ready for it and keep your doors open, or it might result in fines or closed doors for businesses. And you guys who those of you who know me, you know, I don’t like selling out of, FUD, fear, uncertainty, and doubt. I like selling in reality, and this is not this is not FUD. I just wanna make it clear.

This is reality. This is happening as we speak. So it’s a great time to talk to your clients and get them ready for what’s coming ahead in a few months. So what to make it very simple, what do you gotta do?

You gotta screen your book, flag every account that touches health care data or defense work. Those are the calls you gotta make. Lead with the deadline. Deadlines, they move people to act.

Right? I didn’t I didn’t, like, pack my things or move and all that until I knew the date I had to be out by. So deadlines, they move people to act. CMMC has a hard date.

HIPAA has a short clock once it lands. So it’s it’s gonna go move very fast this year.

Frame cost, not features. Again, you wanna talk business risk. You wanna talk what it’s gonna cost them if they if they don’t comply and stay out of the technical conversations. Yeah?

And then selling readiness now. The bottleneck is real. The right now, don’t know what the backlog is for the assessors that exist today, but getting it getting your your clients in line, getting in there early is gonna pay off.