Why SOC 2 Still Takes Forever and When You're Actually Ready

AI is Useful. AI Slop is Not

AI can be wildly useful. It can also be a shiny button duct-taped onto your PSA, RMM, documentation platform, quoting tool, and possibly your coffee maker. This week on Get NIST-y, Jared and Mike talk about how MSPs can tell the difference between useful AI and vendor AI slop, plus what to ask before client data gets shoved into yet another “trust us bro” feature. Takeaways: - Useful AI should solve a real workflow problem, not create a paragraph you now have to babysit. - If you do not know where your data is going, you are not protecting it. - Read the MSA, DPA, privacy policy, subprocessors list, and AI terms before enabling AI features. - Vendors adding AI may be making a material product change, and your contract should matter. We answer: - How can MSPs separate useful AI from vendor AI slop? - What questions should MSPs ask before using AI features with client data? - Should vendors provide a separate DPA, AI addendum, opt-in, or click-through? - Is “trust us bro” now apparently a compliance framework? Submit your question: https://blacksmithinfosec.com/nisty/

Security on a Shoestring

In March 2026, Jared gave a talk titled "Security on a Shoestring" at BSides in San Francisco [https://bsidessf.org]. This week on Get NIST-y, we're bringing that talk to you. We'll be back next week with more answers to your questions. Want to get your own question answered? Head over to https://blacksmithinfosec.com/nisty [https://blacksmithinfosec.com/nisty]

Starting a Security-Focused MSP Without Selling on Fear

A crowded market is not the same thing as a dead market. This week on Get NIST-y, we tackled two questions MSPs should think about before they start selling security with a PowerPoint and a scary ransomware story. We talked about whether it still makes sense to start a security-focused MSP in 2026, and what it actually means to be an M365-based MSP now that identity, governance, and security posture matter more than just managing endpoints. Get NIST-y is the podcast where we make compliance and security practical for MSPs instead of turning them into checkbox theater. What we cover: - The MSP market is crowded, but the bottom is still heavily commoditized and there is room for firms that actually do the work well - Selling on fear is a bad long-term strategy. Trust and business value beat ghost stories - A strong MSP wedge usually starts with specialization, whether that is vertical, geography, or a specific capability - Being M365-based now means managing identity, conditional access, device trust, and user behavior, not just licenses and laptops We answer: - If you were starting a security-focused MSP in 2026, would you sell direct to SMBs, partner with existing MSPs, or avoid the market entirely? - What does it actually mean to be an M365-based MSP now that the real work has moved into identity, governance, and security posture? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]

CMMC Level 2 Without Lighting Money on Fire

CMMC gets treated like a monster project. A lot of the time, bad scoping is the real monster. This week on Get NIST-y, we focused on CMMC Level 2 for smaller companies and cut through the panic. We talked about how to keep costs under control, how to scope tightly around the people and systems that actually touch CUI, and why buying tools is not the same thing as being audit-ready. Get NIST-y is the podcast where we make compliance practical for MSPs instead of turning it into theater. What we cover: - If only a few people touch CUI, scope the enclave tightly and keep the rest of the business out of it - You do not need to throw the whole company into GCC High if the work can be isolated properly - Mapping data flows first saves a lot of money and prevents scope creep later - CMMC gets harder when companies buy tools but never operationalize the controls behind them We answer: - What does a realistic CMMC Level 2 path look like for a small company without lighting money on fire? - Is CMMC Level 2 really that hard, or are companies making it harder by refusing to scope and operationalize it properly? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]

Why SOC 2 Still Takes Forever and When You're Actually Ready

SOC 2 gets sold like a clean checklist. It usually is not. This week on Get NIST-y, we tackled why evidence collection still eats so much time even when the data already exists, and how to tell whether you're truly ready for a SOC 2 Type 2 or just getting shoved there by sales. Get NIST-y is the podcast where we make compliance useful for MSPs instead of turning it into decorative paperwork. What we cover: - Evidence collection drags when teams pull proof from 20 systems instead of the one place that already has it - Some tools still make basic reporting absurdly hard, which turns audits into screenshot Olympics - The wrong auditor can slow everything down, but the bigger problem is usually weak scoping and sloppy evidence workflows - SOC 2 Type 2 readiness is less about feelings and more about whether you've been operating the controls consistently over time We answer: - Why does SOC 2 evidence collection still take so long when the data already exists? - How do you know whether you're actually ready for a SOC 2 Type 2 versus just emotionally ready because sales wants the logo yesterday? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]