Are You Ready for A CMMC Assessment? w/Adam Evans

[00:00:00] [SPEAKER_00]: Welcome back climbers. I'm your co-host, Kaylee Floyd and this is another episode of Climbing Mount CMMC.

[00:00:11] [SPEAKER_00]: Do you want a perfect score on your CMMC level 2 assessment? Today, Bobby and Adam are going to

[00:00:17] [SPEAKER_00]: share their real life examples of what it took for them to be ready for their level 2 assessment

[00:00:22] [SPEAKER_00]: and we hope you guys enjoy today's episode. Okay everybody, we're super excited to talk

[00:00:28] [SPEAKER_03]: about a topic that I think a lot of people underestimate when they say, yeah, I think I'm ready.

[00:00:36] [SPEAKER_03]: As we were going through this right, Adam? As we're going through to get ready for our organization

[00:00:41] [SPEAKER_03]: to be assessed, what we've ran into is some things that we just didn't quite expect and so we

[00:00:48] [SPEAKER_03]: thought that we would just try to open up and try to be as transparent as we can and show

[00:00:54] [SPEAKER_03]: some examples with everybody to help them kind of know how to know for fact that you're ready.

[00:01:00] [SPEAKER_02]: How does that sound? Yeah, sounds great. Because yeah, over the last couple weeks, months, etc.,

[00:01:05] [SPEAKER_02]: we've been hard at work through our CMMC practices and getting the finishing touches on

[00:01:09] [SPEAKER_02]: our programs here. And one of our final pieces was our internal self-assessment because we look

[00:01:15] [SPEAKER_02]: at when it comes time to be assessed. Obviously, an assessment is not cheap. It is quite time

[00:01:20] [SPEAKER_02]: consuming. And for organizations, whether it be MSPs or just your average small business out there

[00:01:26] [SPEAKER_02]: that's trying to be assessed, that's a lot of money. You want to make sure you're prepared for it so

[00:01:30] [SPEAKER_02]: you're not just, you know, the auditor doesn't show up, look at your paperwork and go, yep,

[00:01:34] [SPEAKER_02]: this is garbage. Y'all failed. We didn't want to be in that situation, so we needed a self-assessed.

[00:01:40] [SPEAKER_03]: Well, I don't know about you, but I could just talk about me. I felt a little cocky.

[00:01:44] [SPEAKER_03]: I was like, oh yeah, we've got all these things broken out. Each assessment objective

[00:01:49] [SPEAKER_03]: with the determination statements and how we're going to address each of these respective

[00:01:53] [SPEAKER_03]: assessment objectives. And we have it broken out in our SSP. And even in the SSP, we have a lot of

[00:01:58] [SPEAKER_03]: times where we're deciding policies and you're like, man, we're good. But when we went through

[00:02:03] [SPEAKER_03]: to do our real final readiness, we learned some lessons.

[00:02:08] [SPEAKER_02]: I think a good statement to kind of pick up where you're living off there.

[00:02:13] [SPEAKER_02]: You know, we had great plans. We have great procedures, great policies. We're very confident

[00:02:17] [SPEAKER_02]: in those. You know, I'm looking over some of those and going, man, did I really write this?

[00:02:21] [SPEAKER_02]: This is good stuff. But no plan survives. Notice it was that you wrote it because if I wrote it,

[00:02:27] [SPEAKER_03]: that's the reason why I did design and you did documentation. That's why we threw yours out

[00:02:31] [SPEAKER_02]: when we started. You're not wrong. You're not wrong. Oh, that's a fun story for another time.

[00:02:38] [SPEAKER_02]: Maybe that'll be like the B roll, like recap in our journey episode. That will be a good

[00:02:42] [SPEAKER_03]: story where I'm sure people want to hear how we basically took everything that I wrote and threw

[00:02:47] [SPEAKER_02]: it out after you started. I still love how my, one of my interview qualifications was here's

[00:02:52] [SPEAKER_02]: a whole bunch of stuff, rewrite it and make it better. Yes. So yeah, fun stories for another day.

[00:02:59] [SPEAKER_02]: But as they say though, no plan survives first contact with the enemy. So when we're sitting

[00:03:03] [SPEAKER_02]: there, we've got our SSP statements, our policies or procedures, we're feeling great about it.

[00:03:08] [SPEAKER_02]: And then I hand off my paperwork to Bobby and say, okay, go do it. Go get some evidence.

[00:03:13] [SPEAKER_02]: And we're like, hold on, this doesn't work. This is crap. This needs to be better.

[00:03:17] [SPEAKER_02]: We missed something completely here in this procedure. Right? We're trying to align that

[00:03:21] [SPEAKER_02]: to our assessment objectives and going, crap, this could be better. We forgot this. This statement

[00:03:26] [SPEAKER_02]: isn't as clear. And we, uh, we learned some painful lessons. Well, and as we're kind of

[00:03:31] [SPEAKER_03]: putting our head to the, to running into that, we kind of did this really cool thing where

[00:03:36] [SPEAKER_03]: we actually with Brian, uh, Hubbard, we went through and did a mock sort of like, um, we,

[00:03:44] [SPEAKER_03]: we just, we sat down with him and said, Hey look, can you maybe go through like,

[00:03:48] [SPEAKER_03]: like just one or two controls just to see how it would feel if we were doing an assessment?

[00:03:53] [SPEAKER_02]: And that also opened our eyes to some things. Right? Yeah, absolutely. Um, because if I was

[00:03:59] [SPEAKER_02]: thinking we have that as a podcast episode somewhere earlier in the season, right?

[00:04:02] [SPEAKER_03]: Yeah, we're hoping that we're going to release it with Kaylee's trying her best

[00:04:05] [SPEAKER_03]: to sanitize it because it's real. Like we actually went through that. Um, and so we're

[00:04:09] [SPEAKER_03]: trying to see if we can try to sanitize and maybe coordinate with Brian. Uh, but he's been

[00:04:13] [SPEAKER_03]: really busy. So that's kind of where we're at on the state of that podcast.

[00:04:16] [SPEAKER_02]: Yeah. And that's actually a great point because one of the controls and procedures

[00:04:19] [SPEAKER_02]: we had to write up was, um, you know, controlling, uh, you know, sensitive

[00:04:23] [SPEAKER_02]: information, CUI, SCI, et cetera, posted on publicly accessible systems like our podcast

[00:04:28] [SPEAKER_02]: and social media. And we have a procedure to check on that regularly to make sure we

[00:04:31] [SPEAKER_02]: didn't accidentally spill something that we shouldn't have. And if we did,

[00:04:34] [SPEAKER_02]: we have our procedures to deal with it. And, uh, yeah, I'm not looking forward to

[00:04:38] [SPEAKER_02]: having to listen to that podcast later and go, oh crap, we forgot to sanitize a

[00:04:42] [SPEAKER_02]: screenshot. Now I need to follow this bill. It's procedure.

[00:04:44] [SPEAKER_03]: You're going to have to review it again. So, but the, uh, one of the things I think

[00:04:48] [SPEAKER_03]: that was really interesting is the, is the dance.

[00:04:53] [SPEAKER_03]: Um, you know, knowing that we're ready for the dance. Can you talk a little

[00:04:57] [SPEAKER_03]: bit about that dance that I'm talking about and how important being ready for it is?

[00:05:02] [SPEAKER_02]: Yeah. So we think through, um, self assessments. When you look at a, at a control under CMMC and

[00:05:08] [SPEAKER_02]: 800 171, they give these big overarching high level statements that if you're, you know,

[00:05:13] [SPEAKER_02]: you don't live and breathe in this world, you're like, this is easy to do. This isn't hard at all.

[00:05:18] [SPEAKER_02]: Right. But you need to assess that and understand it. So fortunately for us,

[00:05:23] [SPEAKER_02]: there is an assessor guide, um, for in the form of an estate, 100 171 a

[00:05:27] [SPEAKER_02]: or the CMMC level two assessment guide. And that starts giving us those more,

[00:05:31] [SPEAKER_02]: more pointed examples. And that's where we start breaking those controls down to their

[00:05:35] [SPEAKER_02]: individual assessment objectives. Right. So when we start doing that, we have to understand and

[00:05:40] [SPEAKER_02]: look at a control, figure out how many assessment objectives there are, what evidence is expected

[00:05:45] [SPEAKER_02]: to meet that. And then do we actually have that evidence? Like how are we actually doing it?

[00:05:50] [SPEAKER_02]: Right. Um, because it's one thing to say, Oh yeah, of course I run my employees through

[00:05:53] [SPEAKER_02]: security awareness training. Okay, can you prove it? Do you have a record to prove it? You know,

[00:05:58] [SPEAKER_02]: so that's kind of an interesting song and dance of first off, is it in a policy somewhere?

[00:06:04] [SPEAKER_02]: Do you have a procedure for it? Does that procedure result in evidence?

[00:06:08] [SPEAKER_02]: And then can you talk about it in your system security plan?

[00:06:11] [SPEAKER_03]: Yeah. And that dance that you're sort of talking about is you've got to be able

[00:06:15] [SPEAKER_03]: to dance it in front of an auditor. Right. You don't, you don't want to be sitting there

[00:06:18] [SPEAKER_03]: going, Oh, can we do a half this? You know, like you, you want to be each time the auditor's like,

[00:06:25] [SPEAKER_03]: okay, we're doing 331 alpha. Go tell me where you're at here and you go through and you do this

[00:06:32] [SPEAKER_03]: and you talk about here's our SSP. Hey, here's these things. And you want to be ready to do

[00:06:38] [SPEAKER_03]: the dance for all 320 assessment objectives. Now, if you did a really bang up job and you

[00:06:44] [SPEAKER_03]: wrote a really good system plan, you gave your auditor in phase one a lot of great information,

[00:06:49] [SPEAKER_03]: there's a possibility a chunk of the controls may have already been met before you go into your phase

[00:06:54] [SPEAKER_03]: two, which that'll be a whole other pro tip conversation we'll have later. But there's going

[00:07:00] [SPEAKER_03]: to be a certain amount of controls that on your phase two that they're going to want to see,

[00:07:04] [SPEAKER_03]: and they're pretty much no matter how much evidence you want to provide them in advance,

[00:07:08] [SPEAKER_03]: they're always going to want to see, right? Yeah, I think when we were going through that

[00:07:11] [SPEAKER_02]: exercise ourselves, not too terribly long ago, you know, we were talking about, you know, hey,

[00:07:16] [SPEAKER_02]: we went ahead and we've already captured a whole bunch of evidence for you. Well, our

[00:07:20] [SPEAKER_02]: assessor brought up a point where that's great that you had that configuration that was true at

[00:07:24] [SPEAKER_02]: one point in time. But we don't know as much as they don't know as an assessor,

[00:07:28] [SPEAKER_02]: was that one point in time an hour before they jumped on the call with us?

[00:07:32] [SPEAKER_02]: Was it last week? Was it last month or was it last decade? Right. They need to prove

[00:07:36] [SPEAKER_02]: that as a valid real time configuration to satisfy that assessment objective.

[00:07:41] [SPEAKER_02]: And we can take all the great screenshots with dates and timestamps to show that was very recent,

[00:07:46] [SPEAKER_02]: all we want. They still have a requirement to do their duty and assess us fairly and with integrity.

[00:07:52] [SPEAKER_03]: And so I think that brings us down to kind of the most important, you know, like number one

[00:07:56] [SPEAKER_03]: point is you want to make sure that you can go through the SSP, the policies and procedures

[00:08:02] [SPEAKER_03]: that connect to that specific control and then that you have the evidence for that control.

[00:08:08] [SPEAKER_03]: And you can prove it in some type of fashion or form and you're ready to show that if the

[00:08:13] [SPEAKER_03]: auditor right then says, right now, ready? Go show me. You've got it. That's the dance that

[00:08:18] [SPEAKER_03]: we're sort of talking about. And that was one of the things that kind of got, we got a little bit

[00:08:21] [SPEAKER_03]: gobsmacked about is as we were going through to do it, we had our SSP and our policies

[00:08:26] [SPEAKER_03]: and we felt really good, but we hadn't gone through that dance in her head across all 320

[00:08:31] [SPEAKER_03]: and we're ready to go so that when the auditor is looking at us, we're not kind of kind of going,

[00:08:37] [SPEAKER_03]: you know, we're like, we're ready to go. You don't want to have stage fright at that moment.

[00:08:40] [SPEAKER_02]: You really want to crush it. Right. And there's something really, really crucial

[00:08:43] [SPEAKER_02]: to highlight and all that is these controls are so interconnected

[00:08:48] [SPEAKER_02]: that you don't want to make sure that you run into a failure point somewhere along that

[00:08:52] [SPEAKER_02]: chain. A great example of that being is, you know, if we're talking instant response,

[00:08:56] [SPEAKER_02]: one of the methods to help coordinate instant response activities are your audit logs.

[00:09:00] [SPEAKER_02]: Well, if one of your audit log connectors failed and isn't sending that telemetry over,

[00:09:06] [SPEAKER_02]: you may not be able to demonstrate that evidence. So you've got to, you know,

[00:09:09] [SPEAKER_02]: keep an eye on all that stuff and make sure those interconnections are working as intended

[00:09:13] [SPEAKER_02]: because you can start to think of these things and go, yeah, audit logs,

[00:09:16] [SPEAKER_02]: this is to prove who did what and when like that's separate from instant response.

[00:09:19] [SPEAKER_02]: Well, no, if I'm responding to an instance and investigating suspicious activity,

[00:09:22] [SPEAKER_02]: I'm going to need those logs to validate and verify.

[00:09:25] [SPEAKER_03]: Well, and a little bit of a pro tip here is if you know that you have some evidence you're going to

[00:09:30] [SPEAKER_03]: have to present for a specific control, if you could pick one control or one bit of evidence

[00:09:37] [SPEAKER_03]: that shows a ton of things checked off in the process presenting that, right? That in your

[00:09:44] [SPEAKER_03]: process of showing your evidence, you prove you have audit logs, you prove that you have

[00:09:48] [SPEAKER_03]: all of these different types of things. That's the best kind of evidence, right?

[00:09:53] [SPEAKER_03]: That not only solves the specific control you have, but the auditor looks at that and goes,

[00:09:58] [SPEAKER_03]: oh man, he just by showing me this evidence knocked this one off, this one off, this one off,

[00:10:02] [SPEAKER_03]: this one off and this one off. And that could be a huge help for them. So that's where when

[00:10:08] [SPEAKER_03]: you're showing that to them, sometimes you have to just be really quiet and let them take some

[00:10:11] [SPEAKER_03]: notes and make sure they get caught back up before you move on to the next thing.

[00:10:17] [SPEAKER_03]: And that's another kind of pro tip that could be a huge help there.

[00:10:20] [SPEAKER_02]: Yep, and a great simple example of that in practice. We have in our access control policies

[00:10:25] [SPEAKER_02]: that in order to be granted access to our environment, an employee must be sufficiently trained.

[00:10:31] [SPEAKER_02]: We have our selected training mechanisms to handle that. And as part of their access request

[00:10:36] [SPEAKER_02]: process is part of my job, to look through that access request and go, is this employee

[00:10:41] [SPEAKER_02]: properly trained? Well, the AC domain comes before the AT domain. So if our assessors

[00:10:47] [SPEAKER_02]: is going right down the list, they go through, okay, well, how do you govern access to your

[00:10:50] [SPEAKER_02]: environment? We go, well, we have this fancy policy and this fancy procedure that gives this

[00:10:54] [SPEAKER_02]: final result. And here's evidence of an employee that's been onboarded into the system where

[00:10:59] [SPEAKER_02]: we reviewed for lease privilege, we did this set in the other, and we also validated

[00:11:02] [SPEAKER_02]: their training requisites as a prerequisite as defined in our process. That all of a sudden

[00:11:07] [SPEAKER_02]: shows that assessor, they do have training built into this, they do have evidence

[00:11:11] [SPEAKER_02]: that they've done it, and it's been reviewed and how often it's been reviewed.

[00:11:15] [SPEAKER_02]: That could very well allow our assessor to go through that process and go, let me check these

[00:11:19] [SPEAKER_02]: boxes and put some notes in there real quick. Or he may just simply come or he or she may simply

[00:11:24] [SPEAKER_02]: down the road to say when they get to the AT domain, let's look a little bit closer at those

[00:11:28] [SPEAKER_02]: records. The key important part, the records are already there. Right. And that really can help

[00:11:33] [SPEAKER_03]: make your assessment go much smoother, much faster, as if you're showing really good

[00:11:38] [SPEAKER_03]: quality evidence that encompasses multiple different controls and families. And it can

[00:11:44] [SPEAKER_03]: really help check those off because a lot of times assessors will do bundling in your CCA training.

[00:11:48] [SPEAKER_03]: They talk about doing bundling of controls that work in tandem. So when they go through and

[00:11:55] [SPEAKER_03]: ask you specific questions, a lot of times they're looking at some underpinnings of other things

[00:11:58] [SPEAKER_03]: that they can check off at the same time to try to be efficient because think about it,

[00:12:03] [SPEAKER_03]: the assessor is trying to make money. Their job isn't just to provide some red cross service

[00:12:08] [SPEAKER_03]: to you like they're an organization that has to make money and they've got to operate

[00:12:12] [SPEAKER_03]: efficiently and they don't want to sit here and spend countless hours doing the battleship

[00:12:19] [SPEAKER_03]: method of B1 and just like they want to be really efficient and go through and tackle as many things

[00:12:24] [SPEAKER_03]: with one shot if at all possible. So helping them out would really make them happy because

[00:12:30] [SPEAKER_03]: you're helping make their job easier and they do appreciate that.

[00:12:34] [SPEAKER_02]: Yep. And ultimately from my perspective, as the person who's getting asked a lot of these

[00:12:37] [SPEAKER_02]: questions, the faster I can get this assessor to move on to the next point.

[00:12:42] [SPEAKER_02]: The faster I get my assessment over with and I go back to doing my job.

[00:12:46] [SPEAKER_03]: Right. So let's pivot here, Adam. So one of the things that we wanted to show everybody in this

[00:12:52] [SPEAKER_03]: podcast is a template that we have. We got this from the KCD, I think, is it that great? Or

[00:12:57] [SPEAKER_03]: is it the KRA? I'm not sure which one this is from. I think it's from the KCD, but it's

[00:13:01] [SPEAKER_02]: ultimately from Keri Solutions and it's been a huge help with us. We've done a couple

[00:13:06] [SPEAKER_02]: small tweaks to it to make it a little bit more friendly to us, but I cannot understate or

[00:13:10] [SPEAKER_02]: overstate how words are hard today, apparently. But their templates and documentation and just

[00:13:17] [SPEAKER_02]: having access to their people has been a huge help for us as we've moved through this,

[00:13:22] [SPEAKER_02]: especially when we started going through our evidence process saying,

[00:13:25] [SPEAKER_02]: will this actually work? Just being able to reach out to the team over there and say,

[00:13:28] [SPEAKER_02]: here's what we're trying to do. Here's what we're going to bring into, will this work?

[00:13:32] [SPEAKER_02]: And getting told, yeah, will or in some cases, absolutely not. You guys did this wrong,

[00:13:36] [SPEAKER_03]: do it again. But it's really nice having that backstop that when you're going through

[00:13:41] [SPEAKER_03]: collecting that evidential, like, is this enough? And you can kind of reach out to someone who's

[00:13:45] [SPEAKER_03]: been through multiple, multiple JSVAs and gone through those types of assessments and

[00:13:49] [SPEAKER_03]: work with DIPCAC, they can kind of say, we've actually seen people go through this and they've

[00:13:53] [SPEAKER_03]: done it this way and they tried it this way. They obviously keep everything very sanitized

[00:13:58] [SPEAKER_03]: generic so that no critical or sensitive information shared, but they are able to talk in general

[00:14:03] [SPEAKER_03]: terms to help us be more in line and be in our lane and make sure that we're going to be successful,

[00:14:09] [SPEAKER_03]: which was a huge help. Yep, absolutely. So Adam, if you would go ahead and share your screen and

[00:14:14] [SPEAKER_03]: what he's going to be sharing now, we try to keep this as podcast friendly. So we're going to talk

[00:14:20] [SPEAKER_03]: about more about what we're seeing, but we also are going to have this and a lot of the media

[00:14:23] [SPEAKER_03]: that we have do allow us to share screens like if you're on Spotify, for example, you can

[00:14:27] [SPEAKER_03]: actually listen and still actually watch the video. But if you're watching on Apple, I'm not

[00:14:31] [SPEAKER_03]: sure if we have that capability on that platform. But what we're seeing here right now is Adam is

[00:14:38] [SPEAKER_03]: showing the self-assessment document. Can you just walk us through a little bit about this

[00:14:44] [SPEAKER_03]: column and how you utilize this tool and how helpful it was for you? Yeah, so fundamentally,

[00:14:49] [SPEAKER_02]: you know, we've got all 110 objectives and all 300 and some assessment objectives here.

[00:14:54] [SPEAKER_02]: And this is nicely broken down by our controls. We've got our requirement IDs all the way on

[00:14:59] [SPEAKER_02]: the far left here. So you're in this case, we're looking at IARL2361, which then has a

[00:15:05] [SPEAKER_02]: requirement text as a friendly what are we exactly looking for here, which in this case is

[00:15:09] [SPEAKER_02]: establish an operational incident handling capability for an organizational systems that

[00:15:14] [SPEAKER_02]: include preparation detection analysis, containment recovery and user response activities.

[00:15:20] [SPEAKER_02]: This control has multiple assessment objectives. Fun pro tip when trying to figure out if a

[00:15:25] [SPEAKER_02]: control has multiple assessment objectives. If you start seeing includes and then a bunch of commas,

[00:15:30] [SPEAKER_02]: that's probably its own individual assessment objective. So in this case, we have assessment

[00:15:36] [SPEAKER_02]: objectives alpha through alpha through golf. We use the phonetic alphabet when we talk internally,

[00:15:43] [SPEAKER_02]: because you know, letters sound similar. So when we continue to move through our next column is,

[00:15:50] [SPEAKER_02]: well, what's our practice result? Is it satisfied not satisfied or not assessed yet?

[00:15:56] [SPEAKER_02]: We then have a nice little column here that's giving our SPRS score.

[00:16:00] [SPEAKER_02]: In this case of 361, it is a five pointer, which is helpful.

[00:16:04] [SPEAKER_02]: We then have a column with our assessment objective ID. So in the case of our main

[00:16:08] [SPEAKER_02]: overall control there, of course, is no assessment objective ID. But each individual

[00:16:12] [SPEAKER_02]: statement then has its you know, different assessment objectives so alpha, Bravo, Charlie,

[00:16:16] [SPEAKER_02]: etc. Then we have our column that says our text for that assessment objective. So we can

[00:16:21] [SPEAKER_02]: extra focused. Then we have our result. Did we satisfy this control? This is a nice little

[00:16:27] [SPEAKER_02]: drop down. I'll go ahead for those that can see, let them take a look there. We have our choices of

[00:16:32] [SPEAKER_02]: satisfied other than satisfied blanks so we haven't done anything yet. Evidence request or not

[00:16:38] [SPEAKER_03]: applicable. And those are really helpful in our preparation because as we were working through

[00:16:42] [SPEAKER_03]: collecting, we would market this is you know, evidence needed, we need more evidence. And

[00:16:48] [SPEAKER_03]: so then because we're utilizing this template, we were able to more easily determine where we

[00:16:53] [SPEAKER_03]: needed more focus, where we were able to spend some more time grabbing some more information,

[00:16:59] [SPEAKER_03]: assuring up our beliefs on some things, asking some questions and areas. And it really helped

[00:17:03] [SPEAKER_03]: me and you collaborate a lot easier to get to that 110 when we felt like we were ready.

[00:17:08] [SPEAKER_02]: Right. And we'll touch on this a little bit further when we get over to our findings

[00:17:12] [SPEAKER_02]: and whatnot. But as we went through this process, when we wanted to say something was

[00:17:15] [SPEAKER_02]: satisfied, what does satisfied mean? So we'd have our findings basically in our interview result,

[00:17:23] [SPEAKER_02]: which really boiled down to when our assessor asked us the question, what are we saying?

[00:17:30] [SPEAKER_02]: That'll then go over to what documents are related and what evidence do we have,

[00:17:33] [SPEAKER_02]: which we'll talk about that in a brief moment. So those are our choices for our AO result

[00:17:38] [SPEAKER_03]: just to make sure we've got that handled. Well, and I think let's double down a little

[00:17:41] [SPEAKER_03]: bit on that because I think I can't be overstated enough, right? Is that satisfied means we're ready

[00:17:49] [SPEAKER_03]: to look the auditor in the eye and we're ready to rock. Like not only can we validate and show

[00:17:56] [SPEAKER_03]: the proof, we can go into this screen, we can share the screen, we can show the document,

[00:18:00] [SPEAKER_03]: we are ready to go. It doesn't mean that we just have some information in an SSP document.

[00:18:04] [SPEAKER_03]: It means we are assessment ready. And I think that's the biggest difference that kind of

[00:18:09] [SPEAKER_03]: smacked us a little bit in the face is like we felt like we were ready, but then we're like,

[00:18:13] [SPEAKER_03]: how would we exactly demonstrate that? Is the evidence that we feel is really strong? And that

[00:18:19] [SPEAKER_03]: made us start questioning, which I think is a good thing. Start questioning our stance on some

[00:18:24] [SPEAKER_03]: stuff and really made us kind of bulk up a little bit on how we are approaching some of these

[00:18:28] [SPEAKER_03]: controls, especially some of the assessment objectives that get a little dicey sometimes.

[00:18:33] [SPEAKER_02]: Right. And I think to your point, something crucial to even triple down on

[00:18:37] [SPEAKER_02]: is what evidence is expected and what are some examples that we can look to?

[00:18:42] [SPEAKER_02]: Because there's so much different stuff there. We can tell an auditor under a different assessment

[00:18:48] [SPEAKER_02]: objective like, hey, we've got this great policy here that says we do this. Well, the auditor may

[00:18:53] [SPEAKER_02]: simply go, that's great that you put words on paper. I need actual proof of this. Show me a

[00:18:58] [SPEAKER_02]: screenshot. Show me an artifact. And that's what we can see here in a couple of these other

[00:19:02] [SPEAKER_02]: columns. We do call that out in our document here, where you have what evidence is expected

[00:19:07] [SPEAKER_02]: and what examples should we be providing. So I'm going to scroll over here and we're going to look

[00:19:12] [SPEAKER_02]: specifically at IRL 2-361-ALPHA. That is an operational instant handling capability is

[00:19:21] [SPEAKER_02]: established. Our expected evidence type is a document. And our evidence example should

[00:19:27] [SPEAKER_02]: include our instant response SOP and plan. So Bobby, do you want to play the role of the

[00:19:34] [SPEAKER_03]: assessor here and ask me a question? Sure. All right, Adam, as the assessor put my hat,

[00:19:39] [SPEAKER_03]: assessor hat on here, can you demonstrate to us your incident response plan specifically speaking

[00:19:45] [SPEAKER_03]: to your policies and procedures of how you address that? Yes. So in this case, we're looking at

[00:19:50] [SPEAKER_02]: our controls here and our initial assessment objective is to establish an incident handling

[00:19:53] [SPEAKER_02]: capacity. We've established that through our incident management policy and our

[00:19:57] [SPEAKER_02]: instant response procedures. We can look at those through our instant management policy,

[00:20:01] [SPEAKER_02]: as I mentioned, and our incident response procedures. And we're citing in our spreadsheet here

[00:20:05] [SPEAKER_02]: which specific documents I'm calling out in my SSP statement and that I'm specifically calling

[00:20:11] [SPEAKER_03]: out to our assessor. Now a pro tip here, one of the things that can be helpful is if you

[00:20:15] [SPEAKER_03]: can give a specific location. So like if you gave them an evidence package or they had access

[00:20:21] [SPEAKER_03]: to some type of read only folder, giving them the general idea of where to look. So when they

[00:20:25] [SPEAKER_03]: want to validate that on their own because remember phase one, they're going to collect

[00:20:29] [SPEAKER_03]: that evidence and get it, look at it, make sure that it's a go no go and check that.

[00:20:33] [SPEAKER_03]: But as they go into phase two in between phase one and phase two, most assessors are

[00:20:38] [SPEAKER_03]: going to want to look at as much information as they can and if they can check it off by

[00:20:42] [SPEAKER_03]: looking at what you have here, that's awesome for them and for you. Yep. And as one final

[00:20:47] [SPEAKER_02]: little note on this one here, because we have our policy, our overall incident management policy

[00:20:52] [SPEAKER_02]: says that our organization will prepare for incidents contain, you know, run through the process.

[00:20:56] [SPEAKER_02]: And we've had this up and running for a while and we practice our response procedures.

[00:21:01] [SPEAKER_02]: We were able to cite a specific incident that we had in our environment. It was a test

[00:21:05] [SPEAKER_02]: incident, nothing malicious, nothing bad happened just want to be completely clear

[00:21:09] [SPEAKER_02]: on that one. We did not have an incident. But we did have a fantastic test case

[00:21:13] [SPEAKER_02]: that showed that not only did our policy work, we established our incident handling capacity,

[00:21:19] [SPEAKER_02]: but our technicians when they got that example, were able to follow our procedure as well.

[00:21:25] [SPEAKER_02]: So we're able to say not only do we have this documented, which is what you're looking for,

[00:21:29] [SPEAKER_03]: but we can prove people followed it. Well, and even on top of that, which is kind of cool,

[00:21:33] [SPEAKER_03]: you can, you know, in that process, what it's able to do is it's going, oh, look,

[00:21:37] [SPEAKER_03]: our audit logs are grabbing information. And then, you know, our Sentinel implementation is

[00:21:42] [SPEAKER_03]: triggering and firing an alert. And so now you're checking data connectors. All of this stuff is

[00:21:48] [SPEAKER_03]: just showing a working system that's making this beautiful picture that when you can point that

[00:21:53] [SPEAKER_03]: out to your auditor as you show them that ticket and you went through the process and explain

[00:21:56] [SPEAKER_03]: it. Not only you're telling the story of how you actually meet that objective, but you're

[00:22:00] [SPEAKER_03]: also checking off a lot of other additional ancillary controls that are connected. Like you said,

[00:22:05] [SPEAKER_03]: that spider web and that provides that auditor even more comfort with those other assessment

[00:22:10] [SPEAKER_03]: objectives that they could potentially check off during that process. It's just great. Yeah,

[00:22:15] [SPEAKER_02]: because it's one thing, you know, to say, you know, we've done something, but it's another one

[00:22:20] [SPEAKER_02]: to be able to demonstrate that complete holistic picture in a way that's friendly for an assessor

[00:22:24] [SPEAKER_02]: to where they can look at it and go, okay, I'm going to actually look at that ticket that

[00:22:27] [SPEAKER_02]: you called out. Let's take a look at that. And they can see notes in that ticket saying,

[00:22:31] [SPEAKER_02]: you know, here's how we detected it. Here's our analysis steps. Here's our containment.

[00:22:35] [SPEAKER_02]: And they're looking at that going, cool, whoever followed this clearly knew to put that

[00:22:39] [SPEAKER_02]: information in there. Why did they know to do this? Oh, well, they've been trained on an

[00:22:43] [SPEAKER_02]: instant response procedure that says you have to include this in your work notes.

[00:22:47] [SPEAKER_03]: And this document provides an outstanding cheat sheet to get ready as a team, whoever's

[00:22:54] [SPEAKER_03]: going to be on this assessment process to make sure everybody on the same page that, you know,

[00:22:58] [SPEAKER_03]: who's responsible for which, who's going to talk about which columns. And then

[00:23:02] [SPEAKER_03]: when the assessor goes to talk to you, everybody knows what they're supposed to do.

[00:23:07] [SPEAKER_03]: Because there's that old adage in attorneys have, you never put a witness on the stand that

[00:23:13] [SPEAKER_03]: you don't already know what they're going to say and how they're going to say it, right?

[00:23:16] [SPEAKER_03]: You don't want to start going down this process and just wing it.

[00:23:20] [SPEAKER_03]: You want to know what you're going to say, how you're going to say it,

[00:23:23] [SPEAKER_03]: how you're going to prove it for all 320. And this provides a wonderful cheat sheet

[00:23:27] [SPEAKER_03]: so that everybody could be on the same page to do it. Yep. So I'm going to scroll down

[00:23:32] [SPEAKER_02]: real quick and we're going to look at another real simple control that has far less assessment

[00:23:35] [SPEAKER_02]: objectives that we can look at here. And, you know, of course there are several of them,

[00:23:39] [SPEAKER_02]: but we're going to simply look at, now we're going to move down to IRL 2-363,

[00:23:46] [SPEAKER_02]: test the organizational instant response capability. Single assessment objective,

[00:23:51] [SPEAKER_02]: the instant response capability has been tested. We in our instance,

[00:23:56] [SPEAKER_02]: we said that we satisfied that because we did do a test. We review this every year

[00:24:00] [SPEAKER_02]: to make sure that there are control and procedures for testing this remain relevant.

[00:24:04] [SPEAKER_02]: We do our instant response tests far more often as required by our policy.

[00:24:08] [SPEAKER_02]: The person responsible for overseeing that, hi it's the person talking right now, it's me.

[00:24:13] [SPEAKER_02]: And the evidence that was requested in this instance,

[00:24:18] [SPEAKER_02]: proof of an instant response tabletop scheduled or unscheduled or a penetration test.

[00:24:23] [SPEAKER_02]: They want to see a screen share or artifacts of such in our instance of screen share.

[00:24:28] [SPEAKER_02]: So, Bobby you want to ask me how we do this?

[00:24:32] [SPEAKER_03]: Yeah. So, for IRL 3-6, I missed the object, you slid over, I didn't get to,

[00:24:40] [SPEAKER_03]: I was trying to try to be really fancy and actually use the real term.

[00:24:43] [SPEAKER_02]: You don't have these memorized yet?

[00:24:44] [SPEAKER_02]: No.

[00:24:45] [SPEAKER_03]: Come on man.

[00:24:46] [SPEAKER_03]: Come on.

[00:24:46] [SPEAKER_03]: I did have some, a lot of them memorized from when I was getting ready for my CCP,

[00:24:51] [SPEAKER_03]: but it has left me, you know, 52 plus years of age, my brain is not quite sure.

[00:24:57] [SPEAKER_03]: So, for IRL 2-3.6.8 alpha, can you please speak to us about how you did your incident

[00:25:06] [SPEAKER_03]: response tabletop and can you provide some examples and show us proof that you have done those?

[00:25:12] [SPEAKER_02]: Yeah. So, RIT staff performs test and drills for instant response activities quarterly.

[00:25:18] [SPEAKER_02]: These are triggered by our cybersecurity maintenance checklist and our results are

[00:25:21] [SPEAKER_02]: recorded in our incident database.

[00:25:23] [SPEAKER_02]: The procedure for our instant response testing is contained in our cybersecurity

[00:25:26] [SPEAKER_02]: maintenance checklist. I as the compliance officer will choose scenarios based on the risks

[00:25:30] [SPEAKER_02]: facing the organization and weighted towards instant types or new systems the team has a little

[00:25:34] [SPEAKER_02]: experience with. And our instant management policy requires these drills at least every six

[00:25:39] [SPEAKER_02]: months. Now, we're trying to overachieve a little bit here. We want to get them done

[00:25:42] [SPEAKER_02]: quarterly, but we have to do it at least every six months.

[00:25:45] [SPEAKER_03]: I want to pause what Adam did. I don't know if any of you are noticing what he's

[00:25:49] [SPEAKER_03]: doing here, but what he has done is he's taken, we haven't really talked about this,

[00:25:52] [SPEAKER_03]: but some of you may have picked up on this as we took the individual AOs, the assessment

[00:25:57] [SPEAKER_03]: objectives and we took them out of the SSP that we have written and we condensed them into

[00:26:03] [SPEAKER_03]: the finding section so that he's able to read it when the auditor quizzes him.

[00:26:08] [SPEAKER_03]: The reason why we want to do that is we want consistency and validation of what is written

[00:26:12] [SPEAKER_03]: in the SSP. So, if he can get away with it, he's going to speak to exactly what is

[00:26:18] [SPEAKER_03]: written in the SSP because if he wrote the SSP correctly, that should be enough in general

[00:26:23] [SPEAKER_03]: for what needs to be shared and said. Would you agree with that?

[00:26:26] [SPEAKER_02]: Yep, absolutely. My ultimate goal when doing all this is I want my assessor to look at what I've

[00:26:32] [SPEAKER_02]: wrote in the SSP when they ask how I satisfied a given control and I read off some long-winded

[00:26:37] [SPEAKER_02]: statement of, oh yeah, I do this and that and the other and our assessor should go.

[00:26:42] [SPEAKER_02]: Cool, sounds great. Can you speak specifically to this assessment objective?

[00:26:45] [SPEAKER_02]: In the way we broke this down, I can highlight any given assessment objective based on which one it is,

[00:26:50] [SPEAKER_02]: Alpha, Bravo, Charlie, etc. And I can focus in on that and basically regurgitate the same statement.

[00:26:56] [SPEAKER_03]: Now, and they may ask you right, Adam, hey, where is this exactly in your policy? And

[00:27:01] [SPEAKER_03]: we have notes about subsections and other things. A lot of times what I'll try to do

[00:27:06] [SPEAKER_03]: is have it in the wings to show if they go to ask it. So as he's kind of doing the

[00:27:11] [SPEAKER_03]: talketing and puppeteering, I'm getting some of the documents and pieces open in the background.

[00:27:14] [SPEAKER_03]: I can show that he can talk through it or he may even have them up and ready to go

[00:27:18] [SPEAKER_03]: and we go through that. And then there may be some more discussions that happen, but

[00:27:23] [SPEAKER_03]: that's moving. Things are flowing and the auditor likes it because we're ready to go.

[00:27:27] [SPEAKER_02]: Yep. And so the final point of our little mock assessment on this control here

[00:27:32] [SPEAKER_02]: is now our auditor says, great, sounds awesome. Perfect. That's exactly what I wanted to hear.

[00:27:36] [SPEAKER_02]: But show me some evidence that you actually did this.

[00:27:39] [SPEAKER_02]: Now, in this case, we'll want to pull up our incident database, pull up our example of our

[00:27:43] [SPEAKER_02]: latest tabletop. You're like, hey, look, for our cybersecurity maintenance checklist,

[00:27:47] [SPEAKER_02]: our tabletop exercise fired off as planned. We got together, here was a scenario that we

[00:27:51] [SPEAKER_02]: discussed. Here was what the team did. And here was our findings and lessons learned

[00:27:56] [SPEAKER_02]: because it's a key item that's important when the specific control is what did we learn from

[00:28:00] [SPEAKER_02]: it? And Bobby, a fun fact for you is if you actually look through our latest risk

[00:28:04] [SPEAKER_02]: assessment, one of our lessons learned is on our risk assessment to remediate.

[00:28:09] [SPEAKER_02]: So that way we can show that continuous improvement. Because again, a tabletop,

[00:28:13] [SPEAKER_02]: especially as we're highlighting here, we're looking for novel attacks facing the organization,

[00:28:19] [SPEAKER_02]: attacks against systems that the team has a little experience with, or scenarios that may

[00:28:23] [SPEAKER_02]: actually occur that we have to deal with. So simple ones that I would think through for

[00:28:28] [SPEAKER_02]: any organization, business email compromise, which interestingly enough was our scenario.

[00:28:35] [SPEAKER_02]: We went a little off the rails with it and we had some fun with it.

[00:28:38] [SPEAKER_03]: I made it hard. So you guys know, when I played the aggressor, so we said that Bobby was on

[00:28:45] [SPEAKER_03]: vacation so they couldn't talk to me. And so I created some complexity there. And then I was the

[00:28:50] [SPEAKER_03]: aggressor and then Adam was trying to work through. So we actually went through some scenarios.

[00:28:56] [SPEAKER_03]: I mean, we really threw a lot. I threw a lot at the team and they did a great job.

[00:28:59] [SPEAKER_02]: Yeah, we took a very simple scenario that if your average organization were to run across,

[00:29:06] [SPEAKER_02]: should be a walk in the park to nail. And then we threw every curveball in the book

[00:29:11] [SPEAKER_02]: into the scenario. We gummed up the gears. We made a royal mess of it to see just what the

[00:29:17] [SPEAKER_02]: team would do. Right. And the team drew to their nature and everything like that. They did an

[00:29:21] [SPEAKER_02]: awesome job. They did everything incredibly well. We identified some key lessons so we can be

[00:29:26] [SPEAKER_02]: better next time. And that's what we want to do because we want to get that understanding.

[00:29:29] [SPEAKER_02]: But you know, this podcast episode isn't about instant response tabletops. Maybe that'll

[00:29:33] [SPEAKER_03]: be a good one for another day. Well, at the time of this recording, you know, CrowdStrike is very

[00:29:37] [SPEAKER_03]: fresh on both of our minds, right? That would be an example of it doesn't matter if you got everything

[00:29:43] [SPEAKER_03]: right. Situations can happen that are just plain wrong, that are out of your control and you're

[00:29:47] [SPEAKER_03]: going to have to go ahead and implement your incident response. Even if it isn't a breach,

[00:29:53] [SPEAKER_03]: those incident, the disaster and incident type plans that you're going to have to kick in

[00:29:57] [SPEAKER_03]: to be able to do that. You have to have them trained. You have to have your team ready

[00:30:00] [SPEAKER_03]: to rock because of those types of things that happen. The worst case scenario, things that are

[00:30:04] [SPEAKER_03]: out of your control, you can be doing everything right and stuff happened that isn't even your fault.

[00:30:08] [SPEAKER_03]: But you still have to eat it. You still have to address it. You still got to work through it.

[00:30:13] [SPEAKER_03]: Man, I felt so bad for those people that had to go through CrowdStrike.

[00:30:18] [SPEAKER_02]: You bring up a good point is because we got to keep in mind,

[00:30:21] [SPEAKER_02]: security is more than just having good products in place and having some nice procedures.

[00:30:26] [SPEAKER_02]: Security is about the preservation of confidentiality, integrity and availability of

[00:30:30] [SPEAKER_02]: information assets, et cetera at its fundamental core where we're using it down to its simplest.

[00:30:35] [SPEAKER_02]: A CrowdStrike issue, security could be caused by this security incident. You had a denial

[00:30:40] [SPEAKER_02]: of availability of some core assets in your organizations. You could tabletop that as a

[00:30:46] [SPEAKER_03]: scenario. You have to do restoration. Teams have to go out to address those or however you

[00:30:50] [SPEAKER_03]: want to do it. A lot of that is very much in line with what you would consider an incident.

[00:30:54] [SPEAKER_02]: I saw a tweet from a security professional during that event that said,

[00:30:57] [SPEAKER_02]: a lot of organizations are getting a surprise exercise and ransomware recovery.

[00:31:02] [SPEAKER_02]: Because they're having to recover systems, recover data.

[00:31:05] [SPEAKER_02]: They didn't know what was going on and what the fix was. We were finding out in real time

[00:31:09] [SPEAKER_03]: as info is coming out. Feel for you if you had to go through CrowdStrike that,

[00:31:15] [SPEAKER_03]: whoof man, thoughts and prayers. So I think one of the things too that's really

[00:31:21] [SPEAKER_03]: important here, that I just maybe want to put a bow on this last piece is that

[00:31:27] [SPEAKER_03]: evidence gathering part. What it forced us to do right Adam, is it made sure that we had evidence

[00:31:33] [SPEAKER_03]: for every one of them? And there were some that we thought that we were sort of ready,

[00:31:37] [SPEAKER_03]: but as we went through, we're like, ooh, we might need to share this procedure up a little bit.

[00:31:42] [SPEAKER_03]: And you know what? This was supposed to fire off and scheduled and run at this time

[00:31:46] [SPEAKER_03]: so that we would have the evidence when we needed it and it didn't. And so we

[00:31:49] [SPEAKER_03]: need to go through and make an adjustment. And where did we sort of kind of,

[00:31:53] [SPEAKER_03]: so going through this really helps build that engine that starts running on its own, right?

[00:31:59] [SPEAKER_03]: That's what you want to have. You want to have the engine that is that CMMC engine

[00:32:03] [SPEAKER_03]: that's just chugging along. Everything's happened and what's supposed to the evidence

[00:32:06] [SPEAKER_03]: gathering on its own. Other people are operating like they want to. And that makes that process

[00:32:12] [SPEAKER_03]: that much easier for you because you want to ultimately get in the groove of running your

[00:32:15] [SPEAKER_03]: business the way it needs to be run. And in that process, you are maintaining the system

[00:32:20] [SPEAKER_03]: and it's creating the evidence so that next time when you go to get audited, you're ready.

[00:32:25] [SPEAKER_02]: Yep. So we got to do this because we require by policy that we perform assessments regularly

[00:32:32] [SPEAKER_02]: amongst ourselves. That's where that frequency of control reviews start to come in.

[00:32:36] [SPEAKER_02]: So we need to start looking at this because we need to make sure we maintain our compliance

[00:32:39] [SPEAKER_02]: posture. The DOD does expect that companies will evolve. They will change. We will grow.

[00:32:45] [SPEAKER_02]: We will adapt and evolve. So we have to make sure that our systems remain in compliance.

[00:32:50] [SPEAKER_02]: And we certainly don't want to wait until our next CMMC audit to come through for a third party

[00:32:55] [SPEAKER_02]: to come in that we've paid a lot of money for to come in and do this exercise for us.

[00:32:59] [SPEAKER_02]: We want to be doing this on our regular cadence. So we want to make this quick and easy

[00:33:04] [SPEAKER_03]: and straightforward. So for us in this situation, we're doing it to be ready for

[00:33:09] [SPEAKER_03]: our audit. But then after we get our level two, at that next year, we have to go through or some

[00:33:16] [SPEAKER_03]: process needs to go through to review this every year until the next assessment, which will be in

[00:33:22] [SPEAKER_03]: three years. So every year you have to go through this. So this is that what we're showing everybody

[00:33:27] [SPEAKER_03]: is a good way to try to check that box so that each year you're checking and building

[00:33:32] [SPEAKER_03]: that evidence. So in the third year and your auditor shows back up, you're like each year

[00:33:37] [SPEAKER_03]: we did this self assessment validated where we're at and they're like,

[00:33:40] [SPEAKER_03]: poof man, that's great. You guys killing it. And your third, you know, your next renewal of your

[00:33:46] [SPEAKER_03]: CMMC should just go like clockwork. Yep. Anything else we want to mention on the spreadsheet before

[00:33:51] [SPEAKER_03]: I kill our screen and we can keep talking? No, I think that I think he did a great job of

[00:33:55] [SPEAKER_03]: presenting it. So thank you Adam for being the Vanna White on the board there.

[00:34:01] [SPEAKER_02]: I'd like to buy a vowel. There's no vowels in CMMC. I'd like one.

[00:34:04] [SPEAKER_03]: Yeah. Makes for fun or acronyms. Yes. Well, I hope this was helpful to everybody to kind of see

[00:34:12] [SPEAKER_03]: and this is just one way that this is the way that we approached it. Is it the only way? No,

[00:34:17] [SPEAKER_03]: there's lots of different ways to slice that bread. Right. I've like to that point I've built out in

[00:34:22] [SPEAKER_02]: previous job roles, previous lives and everything my own flavor of this doing it a different way.

[00:34:28] [SPEAKER_02]: Just once we started working with Curie, Curie provided a lot of stuff and I said,

[00:34:32] [SPEAKER_02]: yeah, this is better than what I did. I'm going to forget mine. Let's go this way.

[00:34:36] [SPEAKER_02]: It's cute. But you know, there's several different ways to slice the bread here.

[00:34:41] [SPEAKER_02]: The key important things whether you're buying a template from somebody,

[00:34:44] [SPEAKER_02]: whether you're building one yourself or you just found one off the Internet and you think

[00:34:48] [SPEAKER_02]: this looks great. This should align or actually not should it must align your assessor guides.

[00:34:55] [SPEAKER_02]: If it is not built off 800-171A, you've got a problem. If it's not built off the CMMC level

[00:35:00] [SPEAKER_02]: 2 assessment guide, you've got a problem because you don't want you just don't want to go off,

[00:35:04] [SPEAKER_02]: you know, off the hip remarks of what's required and everything. Otherwise,

[00:35:08] [SPEAKER_02]: you're going to be in a world of hurt. You want to make sure you're getting the official stuff

[00:35:11] [SPEAKER_02]: from the right people so that you're assessing in line with what your assessors will expect.

[00:35:16] [SPEAKER_02]: Right. And you want to make sure you're being incredibly honest with yourself here

[00:35:19] [SPEAKER_02]: because your assessor is there to find the cracks and things. Right.

[00:35:23] [SPEAKER_02]: And you know, there's a running joke in the CMMC community of all the organizations

[00:35:26] [SPEAKER_02]: that self-attested their perfect 110 SPRS score. And if all those organizations have actually done

[00:35:32] [SPEAKER_02]: it right, well, we probably wouldn't be in this boat right now. But of course, everyone said our

[00:35:37] [SPEAKER_02]: security is great. We've got a perfect score and the DoD audited and said, no, you don't.

[00:35:42] [SPEAKER_02]: And China and our foreign adversaries are over there going look at the cool state secrets

[00:35:46] [SPEAKER_02]: we just got full free. Yeah, right. So I think there's a lot riding on this

[00:35:51] [SPEAKER_03]: and making sure that we follow at least some type of good process of reviewing yourself,

[00:35:57] [SPEAKER_03]: whether it's a third party. I mean, obviously that would be great, but that, you know,

[00:36:00] [SPEAKER_03]: that's that's cost involved. So if you had to do it yourself, we really wanted to show you a way

[00:36:04] [SPEAKER_03]: that you could do it yourself and do it the most accurate ways possible. And there are plenty

[00:36:08] [SPEAKER_03]: of times right out on me and you just kind of rolled our sleeves and started looking at each

[00:36:12] [SPEAKER_03]: other like, I think this is this way. I think it's this way. We kind of, you know, we had

[00:36:15] [SPEAKER_03]: to kind of come to terms with some things on how we were looking at it. Not everybody's

[00:36:19] [SPEAKER_03]: going to agree, but you know, we both had the same mission. We worked through some challenges

[00:36:23] [SPEAKER_03]: that we had together and we, we baked, you know, we found consensus and were able to move forward

[00:36:28] [SPEAKER_03]: and we both were better for it. And so I think those are the types of discussions that this kind

[00:36:33] [SPEAKER_03]: of a document or at least some kind of process along those lines are going to create, which

[00:36:37] [SPEAKER_03]: are critical to making sure that you're going to have a one 10 school that matters. Make sure

[00:36:41] [SPEAKER_00]: to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.

[00:36:45] [SPEAKER_00]: We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.