Software Development in the CMMC Ecosystem w/Kyle Lai

[00:00:00] [SPEAKER_00]: Welcome back climbers, I'm your co-host Kaylee Floyd and this is another episode of Climbing Mount CMMC

[00:00:11] [SPEAKER_00]: Today Bobby is joined by Kyle Lai the president and chief information security officer at KL3

[00:00:17] [SPEAKER_00]: They are a certified C3PAO and Kyle is also a certified CMMC assessor

[00:00:23] [SPEAKER_00]: Bobby and Kyle are going to be talking about how to pick the right C3PAO for your company

[00:00:29] [SPEAKER_00]: We're so excited for you guys to hear today's episode and we hope that you enjoy

[00:00:36] [SPEAKER_03]: Kyle thank you so much for joining us today. I really appreciate you coming on the show

[00:00:41] [SPEAKER_01]: Great. Thank you so much Bobby

[00:00:43] [SPEAKER_03]: Now you're a C3PAO organization

[00:00:46] [SPEAKER_03]: And we were talking and you mentioned the fact that you guys also have a lot of experience dealing with

[00:00:53] [SPEAKER_03]: CMMC and organizations that do software development, which to me kind of

[00:00:59] [SPEAKER_03]: CMMC on its own is challenging, but then you had

[00:01:02] [SPEAKER_03]: Software development into the mix that seems like even harder

[00:01:06] [SPEAKER_01]: Yes, absolutely. So we have in some of my background

[00:01:10] [SPEAKER_01]: I was actually a software development

[00:01:14] [SPEAKER_01]: software security group

[00:01:16] [SPEAKER_01]: lead for several Fortune 500 organizations and have gone through the assessment for several software development

[00:01:24] [SPEAKER_01]: organizations under CMMC and NIST 100171

[00:01:28] [SPEAKER_01]: So we have a lot of experience in this space. It's a little bit different from the traditional IT and MSP as you may

[00:01:37] [SPEAKER_01]: Think but yeah, so this is why we want to share some of the

[00:01:41] [SPEAKER_01]: experience and the knowledge in this space

[00:01:44] [SPEAKER_03]: Well, I mean you have the 110 controls that an organization must meet

[00:01:49] [SPEAKER_03]: But then you throw in the fact that you're developing a software product

[00:01:53] [SPEAKER_03]: At the same time and in that software product, they are going to be a myriad of challenges

[00:01:58] [SPEAKER_03]: A lot of things happen and we're going to get into a lot more of this. I've got so many questions to ask you

[00:02:03] [SPEAKER_03]: I don't think we'll probably have all the time to cover it

[00:02:06] [SPEAKER_03]: But uh, I just feel like that's that in itself is such a unique challenge

[00:02:11] [SPEAKER_03]: But before we kind of get into the nitty gritty of how organizations might want to do this

[00:02:17] [SPEAKER_03]: I kind of want to flip it a little bit. I want to ask you a question

[00:02:20] [SPEAKER_03]: Um, you know if someone was picking a c3po

[00:02:25] [SPEAKER_03]: It's really critical to find one that understands your business

[00:02:30] [SPEAKER_03]: So let's say that your organization is doing software development

[00:02:33] [SPEAKER_03]: Like how would you know that the c3po would be a good fit for you?

[00:02:37] [SPEAKER_03]: And just so that you all are might be tuning in if you don't know what a c3po is

[00:02:40] [SPEAKER_03]: That's the organization that will do your assessment and you have

[00:02:43] [SPEAKER_03]: The right to pick your c3po. It's not assigned to you

[00:02:46] [SPEAKER_03]: You can go through and they're going to charge you for that so you get the right to pick them

[00:02:51] [SPEAKER_03]: But what are what are some things that you should probably

[00:02:55] [SPEAKER_03]: Ask or want to know from your c3po to know that they are going to understand your business and and how

[00:03:00] [SPEAKER_03]: cmmc and software development because that seems super challenging, which we'll talk about

[00:03:05] [SPEAKER_01]: Yeah, absolutely. So you want to interview a few c3 paos as you just mentioned

[00:03:11] [SPEAKER_01]: And then you want to interview the most important thing is the lead assessor

[00:03:16] [SPEAKER_01]: And the lead assessor who is going to actually

[00:03:19] [SPEAKER_01]: Interview you during the assessment right there are going to be asking the questions

[00:03:24] [SPEAKER_01]: The lead assessor is going to be the most important person that you should and also assessment team

[00:03:30] [SPEAKER_01]: You want to have the lead assessor that have some kind of

[00:03:34] [SPEAKER_01]: Software development background or understand the software industry

[00:03:39] [SPEAKER_01]: Right because when they are asking questions that you don't want to ask the questions

[00:03:43] [SPEAKER_01]: They are not related to your right your industry. So, yeah some

[00:03:48] [SPEAKER_01]: Lead assessor with a software development background understand how the software is developed

[00:03:53] [SPEAKER_01]: Yeah, for example when you're talking about the

[00:03:56] [SPEAKER_01]: vulnerability management, right? You should also ask about how the software

[00:04:00] [SPEAKER_01]: How do you actually identify the vulnerabilities for the software and not just on the

[00:04:05] [SPEAKER_03]: Traditional it for the politics now this is I'll ask this question

[00:04:10] [SPEAKER_03]: Another another question about that specific thing is that

[00:04:15] [SPEAKER_03]: You have to be careful when you're having that conversation with your c3po because you have to make sure that you're walking the line

[00:04:21] [SPEAKER_03]: That you're not getting consulting from the c3po. You want to ask questions

[00:04:26] [SPEAKER_03]: Help us understand how we walk that line to ask those conversations and questions with the c3po

[00:04:33] [SPEAKER_03]: That will help them get the answers they need but aren't really stepping into the danger zone of getting consulting

[00:04:38] [SPEAKER_03]: Which is something is a violation of the code of ethics

[00:04:44] [SPEAKER_03]: Absolutely

[00:04:46] [SPEAKER_01]: And I mean you don't have to get too too deep of a question

[00:04:50] [SPEAKER_01]: You know to select the right c3po but some basic question is like what is the background of the lead assessor?

[00:04:58] [SPEAKER_01]: Right that is something that you can ask

[00:05:00] [SPEAKER_01]: Is there a software development background

[00:05:02] [SPEAKER_01]: Or have you have this person working the software industry

[00:05:06] [SPEAKER_01]: Understand this how the software if we develop the software how to how do they assess us?

[00:05:11] [SPEAKER_01]: Right and a lot of the software based software companies. They're virtual

[00:05:16] [SPEAKER_01]: Right. Everything's on the cloud. Do you have the cloud experience because we are in azure

[00:05:21] [SPEAKER_01]: We are in iws. Do you know how to assess us? Do you know how to ask the right question?

[00:05:25] [SPEAKER_01]: Those are the questions you should ask when you're interviewing and selecting the c3po

[00:05:31] [SPEAKER_03]: And you know if you have things that you've got concerns or questions about there's

[00:05:36] [SPEAKER_03]: You can definitely ask in that selection process

[00:05:39] [SPEAKER_03]: I mean they may not necessarily be able to give you the answers you want to hear or they may have to be

[00:05:44] [SPEAKER_03]: Speaking in some things that are general, but you have the right to ask and

[00:05:48] [SPEAKER_03]: I encourage you to do so

[00:05:51] [SPEAKER_01]: Yes, if the c3po they don't feel comfortable answering some questions if you're crossing the line. No, let you know

[00:05:57] [SPEAKER_01]: Yeah

[00:05:58] [SPEAKER_01]: With c3po's they will let you know

[00:06:00] [SPEAKER_01]: But um, you you should be able to ask all the questions

[00:06:04] [SPEAKER_01]: You know make sure that you select the right to c3po for your organization

[00:06:09] [SPEAKER_03]: Now a good area to step into when you're asking those types of questions is scoping

[00:06:14] [SPEAKER_03]: And when you're talking about scoping around software development, that can be very challenging

[00:06:20] [SPEAKER_03]: Can you walk us through?

[00:06:22] [SPEAKER_03]: How that conversation might go?

[00:06:24] [SPEAKER_03]: What are some things that an organization that does software development like

[00:06:29] [SPEAKER_03]: How do they put that in scope? How do they put certain parts out of scope? You know that

[00:06:34] [SPEAKER_03]: That's a big ask

[00:06:35] [SPEAKER_03]: for me to have

[00:06:36] [SPEAKER_03]: Have you just in one question here?

[00:06:39] [SPEAKER_03]: But uh, why don't you take your swing at it call? Let's see what you come up with

[00:06:42] [SPEAKER_01]: Sure. Yeah. So when you are doing the software development

[00:06:47] [SPEAKER_01]: Scoping it's not going to be too different from the traditional

[00:06:52] [SPEAKER_01]: You know how we actually do the scoping with a traditional it the non-software

[00:06:57] [SPEAKER_01]: Organization, however, you do want to include the software

[00:07:02] [SPEAKER_01]: Portion in there right because you're still going to have the traditional it you still have the firewall vpn

[00:07:08] [SPEAKER_01]: You know if you have right, you know, most likely you will still have some of those

[00:07:13] [SPEAKER_01]: Right, you know workstation servers

[00:07:15] [SPEAKER_01]: but when you

[00:07:17] [SPEAKER_01]: When you are in the software development, you know

[00:07:20] [SPEAKER_01]: Developing the software custom software. There are going to be

[00:07:25] [SPEAKER_01]: Software components that you have to consider right if you develop the software, they're going to be software database

[00:07:31] [SPEAKER_01]: For example, there are going to be some authentication authorization

[00:07:36] [SPEAKER_01]: Mechanisms whichever that might be right api gateway or web application firewall some of those components

[00:07:44] [SPEAKER_01]: You have to consider them and it's best to draw a

[00:07:49] [SPEAKER_01]: Data flow c y data flow if you have the software is in scope handling c y you want to draw the c y data flow

[00:07:57] [SPEAKER_01]: Identify how the c y flow through your software and the software usually that you are touching other components as I mentioned

[00:08:06] [SPEAKER_01]: Right listed out all those components. So you understand. Okay from the very beginning

[00:08:11] [SPEAKER_01]: I touched the web application firewall

[00:08:14] [SPEAKER_01]: That actually flow into my application

[00:08:17] [SPEAKER_01]: Then there's the authentication, right? Maybe there's an authentication mfa. They flow into my database

[00:08:24] [SPEAKER_01]: So you want to kind of draw out that flow once you draw that out

[00:08:29] [SPEAKER_01]: Then you will understand

[00:08:31] [SPEAKER_01]: What system what components that that c y actually touched and that those would be the ones that are in scope

[00:08:37] [SPEAKER_03]: So because that that company might be developing multiple different products

[00:08:41] [SPEAKER_03]: You you may want to scope some of that aspect out

[00:08:45] [SPEAKER_03]: But I mean as an assessor they'd want to know what type of connectivity

[00:08:50] [SPEAKER_03]: Is is in there, right? Yeah, absolutely

[00:08:53] [SPEAKER_01]: Yeah, and if you are communicating with your for example

[00:08:57] [SPEAKER_01]: If you develop a api and you are sharing the api access with your third party

[00:09:03] [SPEAKER_01]: Take that into consideration as well because that's how c y flow in and out from your organization through the software

[00:09:10] [SPEAKER_03]: yeah, and and so you would

[00:09:13] [SPEAKER_03]: You would really want to have a good flow diagram to explain and justify

[00:09:17] [SPEAKER_03]: What is in and out of scope and that would definitely be something that the auditor would want to know

[00:09:24] [SPEAKER_03]: And you I guess should be prepared to be able to provide that

[00:09:28] [SPEAKER_03]: What kind of evidence do you feel that they should have ready to make them feel comfortable?

[00:09:33] [SPEAKER_03]: They be in the assessor

[00:09:34] [SPEAKER_03]: That the scope is right

[00:09:37] [SPEAKER_01]: Does that make sense what i'm saying? Yep, absolutely. So you you definitely want to

[00:09:42] [SPEAKER_01]: You know as you are drawing out your network diagram your data flow

[00:09:48] [SPEAKER_01]: Very important to understand to show that develop the assessor as well

[00:09:53] [SPEAKER_01]: What does the software do right with purpose?

[00:09:56] [SPEAKER_01]: What is the communication? What are the roles and responsibilities the functionalities that the

[00:10:03] [SPEAKER_01]: Specification the design specification the software architecture security architecture

[00:10:09] [SPEAKER_01]: You want to show all that as well to the to the assessor so there's an understanding in terms of what the software does

[00:10:17] [SPEAKER_01]: Once they understand the salt what the software does

[00:10:19] [SPEAKER_01]: You show them that there are flow then it will be a lot more clear for the assessor to understand what they're looking for

[00:10:27] [SPEAKER_03]: Because they want to know if that data is sitting in a different cloud platform

[00:10:34] [SPEAKER_01]: Yeah, or self-hosted

[00:10:37] [SPEAKER_01]: Right, right. So they want to know all of that and if you are using some components, you know, you know kind of

[00:10:45] [SPEAKER_01]: Azure or AWS you want to show the FET ramp

[00:10:49] [SPEAKER_01]: FET ramp authorization or ato as well

[00:10:53] [SPEAKER_01]: If there are some components

[00:10:55] [SPEAKER_01]: That you use for example, if you are using a another web application firewall

[00:11:02] [SPEAKER_01]: Or if you are using github or get the lab for development platform of where you actually do the deployment

[00:11:10] [SPEAKER_01]: That's all part of the evidence that you have to show change management configuration management

[00:11:15] [SPEAKER_01]: Uh, those are going to be very very important very important for software management. Um, you

[00:11:23] [SPEAKER_01]: Yeah, you as you probably heard about crowd strike, right?

[00:11:27] [SPEAKER_01]: Uh, crowd strike they shut down the it global it network a couple weeks ago. Um

[00:11:34] [SPEAKER_01]: I mean just thinking from the crowd strike crowd strike they it was not caused

[00:11:39] [SPEAKER_01]: You know the attack it was not caused by the attack, right?

[00:11:42] [SPEAKER_01]: But it was actually caused by the actual configuration miss the patch management

[00:11:49] [SPEAKER_01]: Patch management. It was a bad patch misconfigure something

[00:11:53] [SPEAKER_01]: Um, and that is going to be testing right because they miss some

[00:11:58] [SPEAKER_01]: testing requirements because they are missing some of the quality

[00:12:03] [SPEAKER_01]: So you want to show that you have a quality management. You have the

[00:12:07] [SPEAKER_01]: Precise change management. You have your secure testing

[00:12:11] [SPEAKER_01]: That's all kind of related to the software management. And that's something that you might want to show to the assessor

[00:12:17] [SPEAKER_03]: We'll get into that some more detail a little bit later, but like I mean that's something that's clearly called out by the

[00:12:23] [SPEAKER_03]: the NIST controls about

[00:12:25] [SPEAKER_03]: quality engineering practices and other things in the sea family. Those are things that are talked to

[00:12:32] [SPEAKER_03]: That they're gonna have to be prepared to address

[00:12:35] [SPEAKER_03]: But you sort of touched on this and I think it's really important to bring this out

[00:12:40] [SPEAKER_03]: Is that you know like if you're engaged with an msp

[00:12:44] [SPEAKER_03]: And they're let's assume they got level two because they're gonna have to at least

[00:12:48] [SPEAKER_03]: If the way that proposed ruling if it plays out like it's supposed to because at the time of this recording has yet dropped

[00:12:54] [SPEAKER_03]: Yeah, uh, but if if it if it stays like it is

[00:12:58] [SPEAKER_03]: We as msp's would have to get certified. So but they're gonna do the technical

[00:13:03] [SPEAKER_03]: Part of the support but the software development

[00:13:07] [SPEAKER_03]: Your it company is not going to be able to do that for you

[00:13:10] [SPEAKER_03]: You have to do the software development and that means your hands are going to be involved in the change management pieces of those types of things

[00:13:18] [SPEAKER_03]: Um, so walk us through like the difference between the it security and the it components and the software development

[00:13:25] [SPEAKER_03]: And how those lines can be blurred and how they need to be kind of really stark especially in audit

[00:13:31] [SPEAKER_01]: Right. So the traditional it architecture is more like the server workstation

[00:13:38] [SPEAKER_01]: Firewall switches routers, right? So these are the traditional

[00:13:42] [SPEAKER_01]: So the architecture but for software development

[00:13:46] [SPEAKER_01]: There there is another layer

[00:13:49] [SPEAKER_01]: On top of the it so when we're talking about the layers we're talking about for example

[00:13:56] [SPEAKER_01]: The web application firewall

[00:13:58] [SPEAKER_01]: Right something that handle the security and also

[00:14:04] [SPEAKER_01]: something like

[00:14:07] [SPEAKER_01]: Like a code repository, right because you have ops something like that. Yeah, exactly

[00:14:11] [SPEAKER_01]: I see the pipelines continuous integration continuous development

[00:14:16] [SPEAKER_01]: Deployment pipeline was the ICD pipeline

[00:14:19] [SPEAKER_01]: You might heard of azure dev ops github

[00:14:23] [SPEAKER_01]: Elab these are the software that used to manage the development and the deployment of the software, right?

[00:14:30] [SPEAKER_01]: And also like api if you develop api there might be something like api gateway

[00:14:37] [SPEAKER_01]: Right. So if you are using azure or aws dev api gateway right here

[00:14:42] [SPEAKER_01]: And if you are packaging the software together

[00:14:46] [SPEAKER_01]: Nowadays they put into containers right in my herd of docker containers

[00:14:50] [SPEAKER_01]: Yeah, running on kubernetes for example. So those are going to be in involve in the deployment

[00:14:57] [SPEAKER_01]: So there are different layers

[00:14:59] [SPEAKER_01]: Different components that you want to take into consideration when you are developing software when you're deploying the software

[00:15:06] [SPEAKER_01]: Into production and these are the components. These are all the support components in the software architecture security architecture

[00:15:15] [SPEAKER_01]: You have to

[00:15:17] [SPEAKER_01]: Take into the consideration. Well, and I think this

[00:15:20] [SPEAKER_03]: Yes, you could find an organization that may not necessarily know development and they may pass you

[00:15:25] [SPEAKER_03]: But then perhaps you're doing some things you shouldn't have been doing that would have been caught by a c3po organization

[00:15:31] [SPEAKER_03]: That understands software development

[00:15:33] [SPEAKER_03]: Not only is the c3po that passed you that you now got caught on some bad practices

[00:15:38] [SPEAKER_03]: And you had a spillage or exposure and other people brought into the take, you know, it gets get it can get pretty ugly

[00:15:44] [SPEAKER_03]: um

[00:15:45] [SPEAKER_03]: It's

[00:15:46] [SPEAKER_03]: You know looking at it from a theoretical perspective

[00:15:49] [SPEAKER_03]: So I think really making sure that you find a c3po that really understands as you start as you're going through describing that

[00:15:56] [SPEAKER_03]: It I mean, it's not that you have to have a software developer slash, you know, cmc assessor

[00:16:02] [SPEAKER_03]: I don't know how many of those exist. There's probably not many

[00:16:05] [SPEAKER_03]: Uh, because there's a lot of cca's in the world anyway

[00:16:09] [SPEAKER_03]: But you definitely need to find a c3po organization that does understand those concepts that because it can get

[00:16:15] [SPEAKER_03]: Really challenging as you start dealing with those types of things and you want to make sure

[00:16:19] [SPEAKER_03]: That the SNF test that's going to be done during your assessment is the right one

[00:16:22] [SPEAKER_01]: Right. Yeah, you don't want to have a c3po start asking question or cca is asking like what is kubernetes?

[00:16:31] [SPEAKER_01]: Right, right. So yeah, you want you want to some have someone that understand your infrastructure first

[00:16:37] [SPEAKER_01]: um

[00:16:38] [SPEAKER_01]: Yeah, the background and also the

[00:16:41] [SPEAKER_01]: Software like we talked about could be deployed on-prem or it could be deployed in the cloud

[00:16:46] [SPEAKER_01]: So make sure that you have the the cca. I also understand the crowd

[00:16:51] [SPEAKER_03]: How do you deploy into the cloud? I'm really glad you brought that up because um

[00:16:56] [SPEAKER_03]: You you sort of touched on a little bit earlier when you were talking about fed ramp inheritance

[00:17:01] [SPEAKER_03]: Let's let's double down in that a little bit more

[00:17:03] [SPEAKER_03]: Um, can you can you talk about the right way to do inheritance and these types of delicate situations in the wrong way?

[00:17:10] [SPEAKER_03]: To do inheritance specifically around fed ramp sure. Yeah, so

[00:17:16] [SPEAKER_01]: So first of all

[00:17:18] [SPEAKER_01]: Some software developers I talked to is like hey, we use azure and the aws azure and aws a fed ramp

[00:17:25] [SPEAKER_01]: Moderate or fed ramp high so we are good, right? It's like, uh, not really

[00:17:30] [SPEAKER_01]: So we have to get it out of the way first

[00:17:34] [SPEAKER_01]: because

[00:17:35] [SPEAKER_01]: AWS and azure they are secured it doesn't mean that you're secure because you still have to

[00:17:41] [SPEAKER_01]: You know

[00:17:41] [SPEAKER_01]: Configure you still have to develop your controls based on the nist 800 171 cmmc

[00:17:48] [SPEAKER_01]: Right, you still need to have those controls in place and that's on you to develop

[00:17:52] [SPEAKER_01]: You can inherit a lot of these controls

[00:17:55] [SPEAKER_01]: For example, if you are using web application firewall or if you are using azure dev apps some of these tools

[00:18:02] [SPEAKER_01]: Yeah, these tools are secure. But

[00:18:05] [SPEAKER_01]: What is the process that you put on top of these tools?

[00:18:08] [SPEAKER_01]: Those are something that you have to document. You have to make sure that they're effective

[00:18:12] [SPEAKER_01]: Yeah, the software security testing tools are there in the github or github. Yeah, it's available for you

[00:18:19] [SPEAKER_01]: But you have to run it right that's on you to run it

[00:18:21] [SPEAKER_01]: So I think these are the the the things that you have to make sure that you

[00:18:27] [SPEAKER_01]: implement the controls based on the nist 800 171

[00:18:31] [SPEAKER_01]: The nist 800 171 or you had the cmmc

[00:18:36] [SPEAKER_01]: We're talking about is the 3.13.2

[00:18:39] [SPEAKER_01]: 3.13.2 that specifically talk about the software development practices architecture and just just one control

[00:18:48] [SPEAKER_01]: Talk about the architecture, but in reality

[00:18:50] [SPEAKER_01]: There are actually a lot more controls that you have to consider

[00:18:54] [SPEAKER_01]: Right because you still have to talk about the access control access control

[00:18:59] [SPEAKER_01]: Yeah, the audit yeah audit controls the security configurations

[00:19:04] [SPEAKER_01]: Um, a lot of these controls that should also be covered when you have the software

[00:19:10] [SPEAKER_01]: They are custom software

[00:19:12] [SPEAKER_03]: Yeah, that

[00:19:12] [SPEAKER_03]: That is so true because there's so such a spider web of things that that happen

[00:19:18] [SPEAKER_03]: In I mean that's part of the reason why darn assessments a lot of times auditors will bind different families together because it

[00:19:24] [SPEAKER_03]: They spider web so much into each other that you want to make sure that you're being efficient with your audit same thing about

[00:19:31] [SPEAKER_03]: when you're doing

[00:19:34] [SPEAKER_03]: Your analysis of yourself and how you operate you need to think about how

[00:19:38] [SPEAKER_03]: When you're saying okay, I think i'm good here, but how does that affect other families?

[00:19:42] [SPEAKER_03]: You need to think about those because those will lead through and yeah

[00:19:46] [SPEAKER_03]: And the division of duties is really critical, right? Oh, yeah, absolutely

[00:19:50] [SPEAKER_01]: And that's when you have to develop, you know something like a secure development principles

[00:19:56] [SPEAKER_01]: Or a secure vulnerability management

[00:19:59] [SPEAKER_01]: software want to

[00:20:00] [SPEAKER_01]: software vulnerability management documents and

[00:20:03] [SPEAKER_01]: You know software security testing and patch management these processes

[00:20:07] [SPEAKER_01]: Something that you have to develop to make sure and also make sure you follow right

[00:20:11] [SPEAKER_03]: I want to get a little more into that with you so as an auditor yourself

[00:20:15] [SPEAKER_03]: What kind of division of duties would you expect to see in a development cycle?

[00:20:20] [SPEAKER_03]: I mean, I I think you probably would have some danger, you know close possible

[00:20:25] [SPEAKER_03]: Flashing alarms go off if they're like well

[00:20:27] [SPEAKER_03]: We all have full admin privileges inside our development cycle and we can do and change anything and we can

[00:20:33] [SPEAKER_03]: Like what are some things that you would kind of okay?

[00:20:35] [SPEAKER_03]: They get it like what are some pointers about the division of duties and that type of thing, right?

[00:20:42] [SPEAKER_01]: usually

[00:20:43] [SPEAKER_01]: Usually is a developer should not have direct access to the production that

[00:20:49] [SPEAKER_01]: Production and development environment should be separate

[00:20:53] [SPEAKER_01]: Right. That's very that should be very clear to the development organization

[00:20:59] [SPEAKER_01]: Um, and these are some basic concept that we have to know that when you when the assessor goes in

[00:21:05] [SPEAKER_01]: That's what they're looking for

[00:21:07] [SPEAKER_01]: unless

[00:21:08] [SPEAKER_01]: Unless you have a very

[00:21:11] [SPEAKER_01]: You only have a few developers and there is something that you cannot

[00:21:15] [SPEAKER_01]: You cannot just separate the access

[00:21:18] [SPEAKER_01]: For one developer might have to manage the

[00:21:22] [SPEAKER_01]: One developer still have to manage the development

[00:21:25] [SPEAKER_01]: Environment and also production by in that case you still you do need to have the exception

[00:21:31] [SPEAKER_01]: Or you do need to have the change management board

[00:21:35] [SPEAKER_01]: review and

[00:21:36] [SPEAKER_01]: Deploy and try to leverage the automated process or deployment

[00:21:41] [SPEAKER_01]: Right in that case there's developers should not still should not have direct access to the production

[00:21:47] [SPEAKER_01]: But there is a approval directly from the management or change management board say it's approved

[00:21:53] [SPEAKER_01]: It's okay to release and somebody actually released to the production. There's all the all the trails on all these approvals

[00:22:00] [SPEAKER_01]: Yeah, you want to have that and in terms of the functionalities when you are developing the functionalities you have to make sure that

[00:22:11] [SPEAKER_01]: administrative privileges are separated from the regular user privileges, right?

[00:22:17] [SPEAKER_03]: And you also have administrative controls of training and and policies that can kick in there to help out

[00:22:22] [SPEAKER_03]: I mean it does not everything has to be necessarily technically solved. Uh, that you can have some things

[00:22:29] [SPEAKER_03]: administratively

[00:22:29] [SPEAKER_01]: Yeah, yeah, absolutely and you know based on then the

[00:22:35] [SPEAKER_01]: The three 13.2 3.13.2 the control

[00:22:39] [SPEAKER_01]: Then we know that you have to have

[00:22:42] [SPEAKER_01]: Uh, you have to employ the architecture design the documents you have to develop the software

[00:22:49] [SPEAKER_01]: Development architect techniques design specifications. You have to make sure you put those documents together

[00:22:56] [SPEAKER_01]: So describe how you run how you design your software how you implement your software

[00:23:03] [SPEAKER_01]: And uh, that that is something that is going to be important for you to understand

[00:23:08] [SPEAKER_01]: That these are things that you have to worry about

[00:23:11] [SPEAKER_01]: And also just want to point out

[00:23:14] [SPEAKER_01]: We are not too worried about the development side

[00:23:18] [SPEAKER_01]: We are more worried about the production because what's in the production?

[00:23:22] [SPEAKER_01]: Is the should be what is in the production should be the software that touches c y

[00:23:28] [SPEAKER_01]: Your your development environment should not have c y

[00:23:32] [SPEAKER_01]: I hope there's

[00:23:33] [SPEAKER_03]: I didn't even think about that. Wow. Yeah, that's a that's an excellent excellent point

[00:23:40] [SPEAKER_03]: And I guess that should be revealed in your data flow, right? Yeah, exactly. Yeah

[00:23:44] [SPEAKER_01]: That's an excellent point. Yeah, so yeah, we should really focus on the production and the production

[00:23:50] [SPEAKER_01]: When you have the testing before you get into the

[00:23:55] [SPEAKER_01]: Testing before you deploy into the production

[00:23:57] [SPEAKER_01]: And also after you deploy into the production

[00:24:01] [SPEAKER_01]: You might want to do another test to make sure that everything is all running smoothly, right?

[00:24:06] [SPEAKER_01]: vulnerability management

[00:24:07] [SPEAKER_01]: You want to have the code static code analysis?

[00:24:10] [SPEAKER_01]: Those are the software development lifecycle that you have to develop and make sure you follow

[00:24:16] [SPEAKER_01]: And the assessors they are going to look into if you're a software organization. They're all looking to that

[00:24:23] [SPEAKER_01]: Yeah

[00:24:23] [SPEAKER_03]: When you're looking at uh an organization that's doing software development

[00:24:30] [SPEAKER_03]: What kind of things as an auditor would you be looking for to make you feel comfortable that code isn't being pulled in

[00:24:38] [SPEAKER_03]: From untrusted sources, uh, you know, there are

[00:24:42] [SPEAKER_03]: a

[00:24:43] [SPEAKER_03]: prepackaged

[00:24:44] [SPEAKER_03]: uh

[00:24:45] [SPEAKER_03]: DLLs and and you know ocx files and

[00:24:50] [SPEAKER_03]: other types of api type things

[00:24:53] [SPEAKER_03]: What are some things that that would make you as an auditor feel comfortable that if you're pulling things from other organizations that they're safe

[00:25:01] [SPEAKER_01]: Yeah, so

[00:25:03] [SPEAKER_01]: There are a lot

[00:25:05] [SPEAKER_01]: There's a joke that

[00:25:07] [SPEAKER_01]: They're talking about the software developers nowadays. They are not really creating

[00:25:12] [SPEAKER_01]: Software they're just a sample

[00:25:14] [SPEAKER_01]: Right because a lot of the packages are pre-written. They only need to write the code how to put them together

[00:25:20] [SPEAKER_01]: Um, and there it's good and bad because you can develop software. That's very quick

[00:25:26] [SPEAKER_01]: You know quickly. Yeah, if you're already using a lot of these prepackage, they're more well known packages

[00:25:32] [SPEAKER_01]: That's already been developed. Right

[00:25:35] [SPEAKER_01]: um

[00:25:36] [SPEAKER_01]: But on the flip side is that a lot of these software they are open source

[00:25:41] [SPEAKER_01]: And open source means the community. They are supporting it

[00:25:45] [SPEAKER_01]: Right and uh community supporting it that means vulnerabilities. They may or may not be

[00:25:51] [SPEAKER_01]: Be fixed

[00:25:52] [SPEAKER_01]: quickly, but whenever there is a

[00:25:55] [SPEAKER_01]: There are components that are they're being fixed you have to make sure that these components are patched right quickly

[00:26:02] [SPEAKER_01]: So you need to have that workflow in terms of how do you identify the how do you keep track of these open source components?

[00:26:10] [SPEAKER_01]: Right and uh

[00:26:11] [SPEAKER_01]: Yeah

[00:26:12] [SPEAKER_01]: And these these tends to be a challenge for a lot of the software development companies

[00:26:18] [SPEAKER_01]: Right, you have to make sure that

[00:26:20] [SPEAKER_01]: You know, you have a what I call the software build the material you have to know first of all

[00:26:26] [SPEAKER_01]: You have to know what software components do you have within your organization first within your software first?

[00:26:32] [SPEAKER_01]: Right and what what are the components that you use?

[00:26:36] [SPEAKER_01]: Within your software or software environment once you have that inventory and you have to develop a way

[00:26:43] [SPEAKER_01]: There are some tools out there

[00:26:44] [SPEAKER_01]: You know dependency checkered free ones and that there are some other commercial

[00:26:50] [SPEAKER_01]: tools that you use to

[00:26:52] [SPEAKER_01]: Monitor and identify if there are vulnerabilities and if there are vulnerabilities you want to patch them for

[00:26:58] [SPEAKER_01]: Quickly and update update your software. Make sure that your software itself

[00:27:05] [SPEAKER_01]: It's it's free of you know, it's uh reduce the vulnerabilities basically, you know reduce the risk

[00:27:11] [SPEAKER_03]: so if you didn't see a plan

[00:27:14] [SPEAKER_03]: for the bill of materials and a development

[00:27:18] [SPEAKER_03]: Organization and you didn't see what you felt was a mature

[00:27:22] [SPEAKER_03]: process of of remediation and validation of those types of things

[00:27:28] [SPEAKER_03]: um

[00:27:30] [SPEAKER_03]: Would you pass them?

[00:27:32] [SPEAKER_03]: I'm putting on the spot there, but I mean like that

[00:27:36] [SPEAKER_03]: That is a

[00:27:38] [SPEAKER_01]: Pretty important piece. Yeah, so if they have so if

[00:27:43] [SPEAKER_01]: I'll say you have to actually do the inventory first and understand how they actually do their

[00:27:50] [SPEAKER_01]: Hatch management vulnerability management

[00:27:52] [SPEAKER_01]: The overall picture how do they manage the risk of you know of the

[00:27:57] [SPEAKER_01]: Software components manage the software components make sure the software is secure

[00:28:02] [SPEAKER_01]: So I think it's looking at the software if they just don't have anything

[00:28:07] [SPEAKER_01]: to

[00:28:08] [SPEAKER_01]: Do any software security testing then yeah, it's a red flag

[00:28:11] [SPEAKER_01]: Um, but I mean in terms of if what if they will pass or not

[00:28:15] [SPEAKER_01]: I think it's probably looking at the details on how if they have the security overall security practices

[00:28:21] [SPEAKER_01]: If that satisfy the risk

[00:28:24] [SPEAKER_01]: Be able to actually minimize the risk

[00:28:26] [SPEAKER_01]: Um, yeah, but if they just say yeah, we don't have any

[00:28:30] [SPEAKER_01]: Security testing at all. Yeah, we just deploy. Yeah, we made a change

[00:28:35] [SPEAKER_01]: Yeah, it's approved and that just deploy we don't do any change

[00:28:39] [SPEAKER_01]: Yeah, we don't check any changes. We don't do any security testing before we deploy

[00:28:44] [SPEAKER_01]: Yeah, that would be a red flag

[00:28:46] [SPEAKER_03]: Well, and and we know threat actors are coming after downstream development

[00:28:51] [SPEAKER_03]: Supply chain those things are readily attacked because they can be such a great opportunity

[00:28:57] [SPEAKER_03]: Because they don't have to worry about propagating at that point once they get their foothold in the software

[00:29:02] [SPEAKER_03]: Then the software development and

[00:29:05] [SPEAKER_03]: In release of that product it becomes their distribution point for them

[00:29:10] [SPEAKER_03]: Which is, you know, we've just sort of just described

[00:29:13] [SPEAKER_03]: You know the situation with solar winds, you know

[00:29:17] [SPEAKER_03]: We basically just sort of describe what happened with solar winds and in their situation because that situation

[00:29:25] [SPEAKER_03]: Was just bad in their management and control and this kind of goes back to where you had the security, right?

[00:29:31] [SPEAKER_03]: They they were able to get in and then they didn't have a good

[00:29:35] [SPEAKER_03]: Process and their change management and development of their code and they were able to inject some information

[00:29:40] [SPEAKER_03]: So it was really a a failure in multiple multiple ways

[00:29:44] [SPEAKER_03]: And at that point they were able to inject and then

[00:29:47] [SPEAKER_03]: Basically live off

[00:29:49] [SPEAKER_03]: The development release of that product for months and months and months before they got caught, right?

[00:29:55] [SPEAKER_01]: There's another example. That's a lock for j

[00:29:57] [SPEAKER_01]: Right lock for j that is actually a component vulnerable. It's in a lot of software

[00:30:04] [SPEAKER_01]: Um, and you know when lock for j actually vulnerability came out a couple years ago

[00:30:10] [SPEAKER_01]: um

[00:30:11] [SPEAKER_01]: You can you can actually see the vendors some of the vendors that took a few days to release to say what software

[00:30:19] [SPEAKER_01]: What software versions or what software?

[00:30:22] [SPEAKER_01]: Different software they support actually were impacted by lock for j and that's because

[00:30:28] [SPEAKER_01]: Kind of a speculating here, but most likely because they do not

[00:30:33] [SPEAKER_01]: They did not have a good

[00:30:36] [SPEAKER_01]: Asponsive software

[00:30:38] [SPEAKER_01]: Software build material because they don't they did not know if they actually have the

[00:30:43] [SPEAKER_01]: Lock for j components in their software, right?

[00:30:46] [SPEAKER_03]: Yeah, there were some companies that were scrambling just to find that information out

[00:30:50] [SPEAKER_03]: And and if you're helping software, that's a bad place to be

[00:30:54] [SPEAKER_03]: Like really you really should know immediately go right to your rolladex of of what's in the in the soup and go, okay

[00:31:01] [SPEAKER_03]: Hey says right here add log 4j

[00:31:05] [SPEAKER_03]: We got a problem. We need to address this

[00:31:07] [SPEAKER_03]: Right, and sadly some companies didn't have that which created some challenges for them

[00:31:13] [SPEAKER_01]: Yeah

[00:31:14] [SPEAKER_01]: So I was I was a software security group lead for a fortune 500 company

[00:31:20] [SPEAKER_01]: For about three years and I have I would have to say I would have to say that it took me about three years

[00:31:27] [SPEAKER_01]: To actually put that software components

[00:31:31] [SPEAKER_01]: management piece together because

[00:31:34] [SPEAKER_01]: It isn't it it was not easy

[00:31:37] [SPEAKER_01]: Yeah, it was not easy and I I understand the software components scanning

[00:31:44] [SPEAKER_01]: It's more mature now because the last three years a lot of the static co-analysis tools static application security testing tools that incorporated

[00:31:55] [SPEAKER_01]: the

[00:31:56] [SPEAKER_01]: The soft the software components or open source

[00:32:00] [SPEAKER_01]: Components of vulnerability management pieces in their vulnerability assessment

[00:32:05] [SPEAKER_01]: No, so so things should be a little bit easier

[00:32:09] [SPEAKER_01]: And also for like software like a github or gLab they incorporated the

[00:32:15] [SPEAKER_01]: Scanning capabilities within their software so that will be able to scan the code and identify the

[00:32:21] [SPEAKER_01]: Software components within the code. So it's more integrated these days. So

[00:32:27] [SPEAKER_01]: Things should be a little bit easier

[00:32:29] [SPEAKER_01]: But again, it's really up to the software developers to make sure that they put these practices in place

[00:32:36] [SPEAKER_03]: so what are some pointers when it comes to

[00:32:40] [SPEAKER_03]: defining types of assets

[00:32:42] [SPEAKER_03]: like and what I mean by that if you is for those people that are looking at the

[00:32:48] [SPEAKER_03]: Assessment guide in there it outlines different types of assets like kui

[00:32:54] [SPEAKER_03]: Or cui assets depending on how you like to pronounce it sometimes say

[00:32:58] [SPEAKER_03]: Both you can have

[00:33:00] [SPEAKER_03]: security protection assets

[00:33:02] [SPEAKER_03]: You have cmra's. There's different types of asset definitions

[00:33:07] [SPEAKER_03]: When you're dealing in code development

[00:33:09] [SPEAKER_03]: What types of

[00:33:12] [SPEAKER_03]: challenges about creating that scope and defining those assets

[00:33:16] [SPEAKER_03]: Do you see in that development process?

[00:33:20] [SPEAKER_01]: Yeah, so

[00:33:21] [SPEAKER_01]: So I think in the software software itself. I think we can be very

[00:33:27] [SPEAKER_01]: It's more like a system right software itself if it's touch the cui then software itself

[00:33:32] [SPEAKER_01]: It's cui

[00:33:34] [SPEAKER_01]: But when you actually start getting into the database if there are database

[00:33:38] [SPEAKER_01]: Yeah, there is might be a database components. Let's consider cui

[00:33:42] [SPEAKER_01]: And the database might be stored in another server

[00:33:47] [SPEAKER_01]: Right, and that's why we want to take that into consideration. Right

[00:33:52] [SPEAKER_01]: But when you're talking about like web application firewall api gateway

[00:33:58] [SPEAKER_01]: The web gateway

[00:34:01] [SPEAKER_01]: Those are the

[00:34:03] [SPEAKER_01]: Or there are

[00:34:04] [SPEAKER_01]: There are different gateways or different for example, there is a key management system

[00:34:08] [SPEAKER_01]: These are the different components that you want to take into consideration as security protection assets

[00:34:15] [SPEAKER_03]: Right. Gotcha. Yeah, so and that all should be part of your design and you you got to think about what's going to be playing

[00:34:22] [SPEAKER_03]: You know technical administrative type things which those tend to fall on the security protection assets like your at your intra

[00:34:30] [SPEAKER_03]: Those types of things that control those

[00:34:34] [SPEAKER_03]: Entry points those are definitely things that your auditor is going to want to think

[00:34:38] [SPEAKER_03]: This is probably security protection asset and they want to see that appropriately

[00:34:43] [SPEAKER_01]: Yep, and it will be it will be important to have the it msp's

[00:34:50] [SPEAKER_01]: And uh software development organization work together to draw this this uh the scope

[00:34:57] [SPEAKER_01]: Right. Yeah scope diagram and also identify what are the security protection assets because

[00:35:04] [SPEAKER_01]: If they are not fully in the cloud if they are still using some components

[00:35:09] [SPEAKER_01]: Or if there are still some workstations that need to

[00:35:13] [SPEAKER_01]: Connect right through the vpn or through whatever methods connect to the cloud to do the deployment

[00:35:19] [SPEAKER_01]: Then that should be all take into consideration. So it msp

[00:35:24] [SPEAKER_01]: Uh software development organizations should work together to identify the scope and uh

[00:35:30] [SPEAKER_01]: The workflow because of workflow might cross over, you know traditional it versus the

[00:35:36] [SPEAKER_01]: software

[00:35:36] [SPEAKER_01]: You know software architecture

[00:35:39] [SPEAKER_03]: And and I think uh, maybe a good

[00:35:42] [SPEAKER_03]: Division of duties using a matrix to kind of show who's going to be responsible especially

[00:35:47] [SPEAKER_03]: Uh, who's going to manage that security protection asset is the it department going to handle intra

[00:35:52] [SPEAKER_03]: You know and then who's going to handle the management of access to if you're using dev ops or some other tool

[00:35:59] [SPEAKER_03]: Okay, well this person in your development team is going to handle that. Okay, uh, you know, so

[00:36:05] [SPEAKER_03]: Understanding the division of duties. I think would be a really critical part that you would want to see

[00:36:10] [SPEAKER_03]: Well defining in in your assessment. And I think this goes down to

[00:36:15] [SPEAKER_03]: Kyle um

[00:36:17] [SPEAKER_03]: How this is probably a pretty slow softball pitch for you here

[00:36:20] [SPEAKER_03]: But like how important would it be if you're doing software development to talk with a c3po?

[00:36:26] [SPEAKER_03]: Or a very knowledgeable cca and get some solid advice before you go to your assessment

[00:36:33] [SPEAKER_03]: Getting that that that good once overlooked to say I think my scope and everything is correct

[00:36:39] [SPEAKER_01]: Yeah, I mean for for us. Obviously we're more familiar with the

[00:36:44] [SPEAKER_01]: Software development side so we can tell you yeah if you have a

[00:36:49] [SPEAKER_01]: If you're a software software developer and your environment

[00:36:54] [SPEAKER_01]: If you start if you are missing the part saying yeah, we have the firewall

[00:36:59] [SPEAKER_01]: But you did not list out the web application firewall then we might have a question about where's the web application file?

[00:37:06] [SPEAKER_01]: Do you have that right or how do you secure your environment? Well, is that part of the spa?

[00:37:12] [SPEAKER_01]: So make sure you include that

[00:37:15] [SPEAKER_01]: So we want to make sure that we kind of go through and make sure they have a good scope

[00:37:20] [SPEAKER_03]: and

[00:37:22] [SPEAKER_03]: Maybe a half a day. Maybe even a full day conversation with you, but how much money could they save?

[00:37:28] [SPEAKER_03]: by

[00:37:29] [SPEAKER_03]: doing wrong

[00:37:31] [SPEAKER_03]: design

[00:37:32] [SPEAKER_03]: right

[00:37:34] [SPEAKER_01]: uh, I think

[00:37:36] [SPEAKER_01]: So if they are starting from scratch, yeah, they probably we can

[00:37:39] [SPEAKER_01]: You know for the consulting side, we can actually provide a guidance in terms of what should be in in place

[00:37:46] [SPEAKER_01]: Right to protect their software application or apis

[00:37:51] [SPEAKER_01]: So we can provide that guidance

[00:37:53] [SPEAKER_01]: But if they're already if they already have the software developed

[00:37:58] [SPEAKER_01]: Then we can provide them the guidance in terms of these are maybe different different

[00:38:05] [SPEAKER_01]: components that should be in place to protect

[00:38:07] [SPEAKER_01]: the ceo and show to the investors that yeah, you have the proper

[00:38:13] [SPEAKER_01]: testing security testing and the protection in place and

[00:38:18] [SPEAKER_01]: Another thing I do not get into was the data encryption

[00:38:22] [SPEAKER_01]: Right when you actually handle the ceo with your software

[00:38:26] [SPEAKER_01]: Yeah, you better make sure that you have the data encryption in place

[00:38:29] [SPEAKER_01]: And whatever method that you use to encrypt our fips 140 dash two if you're transmitting outside

[00:38:36] [SPEAKER_01]: Right of your organization

[00:38:37] [SPEAKER_01]: So these are the things that we will be able to actually look into to make sure that software is secure

[00:38:44] [SPEAKER_01]: to handle the cy

[00:38:46] [SPEAKER_01]: but if you are

[00:38:48] [SPEAKER_01]: by I mean if there are

[00:38:51] [SPEAKER_01]: Yeah, I mean if they do all this

[00:38:53] [SPEAKER_01]: I think they are going to save them a lot of headache if they get to

[00:38:58] [SPEAKER_01]: meet me with a

[00:39:00] [SPEAKER_01]: A good cca that understand the software

[00:39:03] [SPEAKER_03]: because

[00:39:04] [SPEAKER_03]: You know, we've said this before on this on the show

[00:39:07] [SPEAKER_03]: spending some time

[00:39:08] [SPEAKER_03]: upfront

[00:39:10] [SPEAKER_03]: Before you start you touch on this great call of it

[00:39:12] [SPEAKER_03]: Like before you start talking to someone who's got a lot of experience that can help you

[00:39:16] [SPEAKER_03]: Make sure that your plan of attack is solid right and now once you've you've gone through and you've built this

[00:39:23] [SPEAKER_03]: Then do the go no go with it with that same person or another organization that has really good solid understanding

[00:39:29] [SPEAKER_03]: And then they can look at that go. Well, you know, you're missing some audit pieces here

[00:39:32] [SPEAKER_03]: You're missing this and the division of duties isn't quite

[00:39:36] [SPEAKER_03]: well-defined here perhaps and they might catch a component like your saying Kyle that might not have been defined

[00:39:41] [SPEAKER_03]: and boy that could save you

[00:39:44] [SPEAKER_03]: A massive headache during your actual assessment and just have that and

[00:39:48] [SPEAKER_03]: It wouldn't take a whole lot of money and time to have that

[00:39:54] [SPEAKER_03]: Examination and it could save you a ton. Oh, yeah, absolutely

[00:39:57] [SPEAKER_01]: Yeah, we'll be able to actually tell you if this is something that you are doing is a good

[00:40:02] [SPEAKER_01]: If it's missing some some components or security protections, you'll be able to be able to actually find out

[00:40:09] [SPEAKER_03]: Well, Kyle, thank you so much for taking time with us today

[00:40:12] [SPEAKER_03]: Is there any other closing remarks that you'd like to leave us with? Yes

[00:40:16] [SPEAKER_01]: Also, you know on our website. We actually developed resources that will be able to help companies

[00:40:22] [SPEAKER_01]: Software development companies. They'll be able to download some resources. For example

[00:40:29] [SPEAKER_01]: The secure development principles

[00:40:31] [SPEAKER_01]: All right, so secure engineering

[00:40:35] [SPEAKER_01]: Principles security api development principles that those are made available on our website

[00:40:41] [SPEAKER_01]: It's plc consulting net on the top navigation go the resources you will be able to download

[00:40:47] [SPEAKER_01]: Awesome

[00:40:48] [SPEAKER_03]: Well, Kyle, thank you so much for taking time out of your day and for just sharing this knowledge

[00:40:52] [SPEAKER_03]: As far as I know, I don't know if anybody that's really talked about this publicly in a podcast

[00:40:57] [SPEAKER_03]: um, and I think it's it's definitely something that

[00:41:00] [SPEAKER_03]: That uh people should want to know about if they're doing software development

[00:41:04] [SPEAKER_03]: And uh, so I appreciate you taking the time just to kind of drop some nuggets of wisdom with us based on your experience

[00:41:10] [SPEAKER_01]: Sure. Sure. Yeah. Thank you so much for having me. Yeah

[00:41:14] [SPEAKER_03]: Well climbers, I appreciate you joining us for another episode and uh for all of y'all

[00:41:21] [SPEAKER_03]: That are tuning in from various different sources. Uh, you know, just be sure to click the like and subscribe

[00:41:27] [SPEAKER_03]: And and try to make sure you're staying up to date and following us on on the latest things that are happening

[00:41:32] [SPEAKER_03]: And we'll also have in the description more information about kyle and his three pao organization and what they do

[00:41:37] [SPEAKER_03]: Check him out and find out more about him, especially if you're doing software development or you need some consulting services

[00:41:43] [SPEAKER_03]: C3 paos don't just do audits. They also can help you with gap assessments and

[00:41:47] [SPEAKER_03]: Consulting conversations now once you engage them, they're not going to be able to do your assessment

[00:41:51] [SPEAKER_03]: But they can provide you valuable valuable valuable insight that can save you a lot of headache

[00:41:58] [SPEAKER_03]: Yep, absolutely. So everybody thank you so much for joining us and keep on climbing

[00:42:02] [SPEAKER_01]: Thank you

[00:42:03] [SPEAKER_00]: Make sure to follow us on linkedin and youtube to stay up to date on the latest cmmc news

[00:42:09] [SPEAKER_00]: We hope you guys enjoyed today's episode and listen out for the next one, but until then keep on climbing