The Alphabet Soup of CMMC

[00:00:00] Welcome back climbers. I'm your co-host, Kaylee Floyd, and this is another episode of Climbing Mount CMMC. We believe that there should be a dictionary just for CMMC terms. So in today's video,

[00:00:16] Bobby and I are talking about all of the different definitions and words that have to do with CMMC. We're so excited for you guys to join us in today's episode, and we hope that you enjoy.

[00:00:31] Today, we are going to be talking about the alphabet soup when it comes to the CMMC journey. Now, if many of you guys are like me, you're going to have these conversations with people

[00:00:44] that all of a sudden turn into letters and letters that you may not know at all what they mean, right? And then you're just, and they might not even know what they mean, but they'll

[00:00:55] still say them because they sound cool. Right. Yeah. And then it just turns into you just nodding your head when you really have no idea what they're saying. So if you're like one of

[00:01:05] those people and you want to get more knowledgeable about the acronyms and the different words that come with CMMC, cybersecurity and stuff like that, we are going to be talking about that today.

[00:01:17] I'm going to be throwing them at Bobby and he is going to be bringing them back. So I mean, Bobby, are you prepared for all of these terms? I'm going to do my best. I'll try to make

[00:01:27] sure that I provide them as accurately as possible for everybody. I'm sure there are some trolls out there that was just waiting with bated breath. They're like, we got him. But I'm going to do my best.

[00:01:37] I'm sure. So here we go. First, I'd like to bring up NIST, which all seems to be capitalized letters. And so some people say NIST, which we decided to just call it NIST,

[00:01:51] right? I've never heard anybody refer to it as NIST. It was just me the first time that I saw it. But I just wanted to throw that in there just in case anybody else did.

[00:02:00] We'll just kind of keep that in our back pocket. And we didn't know that. So NIST, what is NIST? So when I think NIST, I think of Ron Ross. But he's just a person that works there and has had a huge impact on it as well as others.

[00:02:19] Vicki, I can't remember her last name. I always murder it. But Palatari, I think maybe. But they all kind of helped create some standards. But it stands for National Institute for Standards and Technology. I think I said that right. And it's more than

[00:02:35] just security standards. They come up with all kinds of standards, weights, and measurements. They come up with computer standards. They come up with anything that might need to be accurately gauged for the government or just it doesn't even have to be government. A lot

[00:02:50] of private organizations use their standards. From what a lot of us are used to is that the 800-171 is a standard that was created to help us start to understand the right way to handle CUI, which we'll talk about in a second, and make sure that it's protected.

[00:03:10] I'm already starting with acronyms on those. But the point is it's just a a government organization that is just made up of a bunch of just really brilliant people. They create these standards to help the government operate as well as society,

[00:03:28] just to have some better standardizations. It's one of many organizations inside the government. But it's a pretty important one because a lot of what they do when they're trying to be consistent across the board, they'll look to NIST to create those standards.

[00:03:42] Right. You kind of teased us a little bit in this, but I did want to bring up after NIST, there are sometimes a few numbers that people talk about after referring to NIST like 800-171

[00:03:54] or 800-171A or 853. What are these numbers and what are they for when in regards to NIST? We talked about NIST as a really important organization that creates standards. And one of the really things that was very instrumental that NIST did is that they created

[00:04:16] alignment across the whole government body. So like IRS or the Department of Defense and just list, insert whatever government organization, they were all handling security and how they were doing things differently. They would label things differently. So the executive branch said,

[00:04:33] hey, look, this is ridiculous. We need to have our standardization. And that's where the risk management framework came from. And so NIST created that. They created this standard. And then they said, okay, we need to have some type of document. And that's where 853 came into

[00:04:48] play to measure how the security has to do. This is a very complicated system. And it has over a thousand different. Now at this point, they've had five iterations of 853. And it has over a thousand different security controls of how things should be done from

[00:05:08] account management to audit logs, to even from an executive perspective, like how the governance should be done. And so all of those are defined and they have this standard. And so that's where 853 came in is it was used to kind of help keep the government safe.

[00:05:27] But they had a problem. The government doesn't just do work with just the government. They work with us, non-government people. And so as information is kind of going over the fence, as Ron Ross refers, when it comes over to us, non-government contract people,

[00:05:45] actually people in the government working as contract to help support them, that information when it comes to us, they need to be able to protect that. And so that's where the 800 171 and 171 standard is. Now it's actually SP for special publication, dash 800 171 and 171A.

[00:06:04] And those definitions sort of say when that information hops the fence from the government and comes to us, how's it supposed to be kept safe? Now this information isn't like missile launch systems. It's not classified information. So it's like information like, hey, we need some

[00:06:20] some standards on how to do ice makers. We want 20 ice making machines or we need a seatbelt for a jet or something along those lines. It could be at various levels of different stuff, but it's not like super highly sensitive information. It's just information that they

[00:06:39] still want to control it. They want to know who has it, but it's not super sensitive. Mm hmm. So another one that I was thinking about while you were talking that I feel like a lot of

[00:06:50] the time we talk about, you mentioned the DOD and stuff like that. I also hear FAR and DFAR. So there's one that I think has to do with the Department of Defense and something like that.

[00:07:04] So can you explain the difference between those two and what exactly they are? Yeah, so that actually kind of goes well into the stream of information and things coming out of the government to other bodies. So FAR is Federal Acquisition Regulations, I think is what

[00:07:18] that stands for. And really it has a council, they're called the FAR Council, and there's not, I think there's like maybe five or six people on it. And they're in charge of policy when you're trying to do acquisitions from government bodies. So they oversee everybody. So that is,

[00:07:35] highway, IRS, DOD, Homeland, insert whatever government, tons and tons of governments. And so they, the FAR Council and the FAR is kind of the top, if you will, of the list. And then they go down and start having those policies about how things have to happen. So if

[00:08:00] you want to do a contract with the government and you want to be able to provide services to them, those are all going to come through the Federal Acquisition Regulations and all those types of things. That's where the DFARs come in because the DFARs are underneath

[00:08:15] the FARs. So if you're actually looking in the websites, you can actually kind of see the inheritance as you track down these policies, because you have these numbers that are really long and you can sort of track them down to where they connect from the FAR to the

[00:08:29] DFARs in those regulations. And there's lots of different regulations. It's just a lot of times what you're hearing right now in the media is the DFAR regulations, because the Department of Defense was the first organization to kind of get their act together about how to control

[00:08:47] CUI, which is controlled unclassified information. So that's what's sort of starting a lot of this that was happening. But what you're going to start seeing is there's going to be a rule that's coming out this year by the FAR Council, the FAR rule, which is going

[00:09:03] to have its overarching requirement about how that controlled unclassified information is supposed to be handled. And that's going to apply to all government bodies. It's just that the Department of Defense kind of got their act together way earlier than everybody else did.

[00:09:17] And that's where the CMMC program came from. I guess we should have maybe started with this one, but you mentioned CMMC at the end of that. And I was just like, well, let's just say,

[00:09:27] you know, for people that don't exactly even know what that means, just to explain what CMMC is. Yeah, it's kind of funny how the alphabets just kind of connect together. Right. And so the CMMC program is really how it kind of got created is out of the Department

[00:09:44] of Defense frustration. An executive order back in 2010 was given out by Obama to say, hey, look, you guys need to put some requirements about this controlled unclassified information. You

[00:09:57] guys need to have a plan about how it's supposed to go. And they kind of went to the FAR Council and said, hey, you guys need to have a rule about how this is going to handle. The FAR is

[00:10:07] like, that's cool. We'll get back to you later. And later has yet to happen. So that's like 2010. So this has been a long time since they've really officially come out with what the

[00:10:16] rule is. And it's believed that's going to drop this year, which is going to be a big deal. But the DOD kind of led the charge. They came out with their defar regulations, which said,

[00:10:27] this is how we want the CUI to be handled. And they kind of gave each other a high five and they attached that standard to 800 171. That's why we had referred to it earlier. So that 171 basically clearly defines if you're taking this information in, this is how you're

[00:10:42] supposed to protect it. This is how you're supposed to keep that information sensitive. And so they were giving each other high fives and said we crushed it. And then they did an assessment to look at how different people that have been taking

[00:10:55] contracts since they released that requirement, they found that nobody was doing them. They got really, really mad. And so the Department of Defense sort of took their toys and left and said, you know what? We're really frustrated because you're not listening to us. We're going

[00:11:08] to create a program and we're going to force you guys to have to adhere to this 800 171 and 171A requirements. And we're going to audit you because obviously, picky swearing isn't getting it done. And we're going to call it CMMC. So DODs

[00:11:24] really created CMMC program. So it's not really necessarily government or wide. It's a program that the DOD did based off of many, many years ago, a regulation of back in 2000 or executive order back in 2010. And so what you're going to start seeing is

[00:11:43] once that FAR rule comes out, a lot more bodies are going to start adhering to the standard. Now they may want to adopt perhaps some of what the CMMC program is. Nobody's sure exactly how that's going to go. Okay. And so, you know, when you said

[00:11:58] the word executive order, I was curious about there was, there is one that I hear a lot, the executive order 13556. How do you say that? 13556. Yeah. And that's the executive order back in 2002, which is kind of like the

[00:12:20] big bang of the CUE program that started. The Obama administration did it many, many, many moons ago and that started the ball rolling. And then that's where once that executive order came out and just kind of got their hands on it and said, okay, well,

[00:12:35] what kind of standards should we align? Hey, guess what guys, we just finished this standard SP 800 171. Let's use that. And everybody's like, yeah, that's cool. Let's do that. And that's sort of how things... Now, granted, we're summarizing quite a bit here, but that's in a nutshell.

[00:12:53] That's the gist. If you're trying to read the Cliff Notes version. Yes, this is, you know, tech soup, CMMC soup for dummies by Bobby, who is mildly a dummy himself. So we'll just take that as it goes. So we also have been talking about,

[00:13:12] you know, organizations and like what the DOD has started with CMMC and stuff. But I am curious about cyber AB. I've heard that before we talked about it in our podcast with, was it Mark? Yes, Mark Berman.

[00:13:29] And we discussed cyber AB. But could you really explain that a little bit and how that connects to CMMC? Yeah, when I first saw the cyber AB and started trying to get into it, I was like, oh, that must be a government organization.

[00:13:48] They're not. The cyber AB is a nonprofit organization. They don't get any money from the government. That's part of the challenge they have. That's the reason why they're so small, even though they have a massive undertaking to do.

[00:14:01] It's a nonprofit organization that the DOD kind of partners with to try to pull this program off for CMMC. So instead of the DOD saying, you know what, let's create another IRS, someone that's going to do all of these audits, this one massive government body that's

[00:14:20] going to perform in these. And, you know, obviously there's organizations like Dibcac, which they do assessments and things. They could try to spin them up and make them massive to go through and do all of this audits that they require.

[00:14:32] But that would be kind of the right hand forcing the left hand to do something they may not want to do. So they said, well, let's privatize it. So what they did is the cyber AB was born as a nonprofit organization. And so they're in charge

[00:14:46] of handling the organizations which are called C3PAOs, not C3PO like you see from Star Wars, but C3PAO. And those organizations are responsible for actually doing the assessment for the CMMC program. And the cyber AB is in charge of making sure that they are doing it

[00:15:06] and conducting themselves in a proper fashion. So they're in charge of those C3PAOs and making sure that they adhere to the standards. They also helped spin up another organization called Kaco. And Kaco handles the certification side of things. They're

[00:15:24] a different body. And I think they actually even have a different 501C different name and everything, but they handle the certification. So that's where you see people with the CCA and the CCP certifications. That's where all that comes through is Kaco.

[00:15:43] But they're all nonprofit run to help create this ecosystem. That's where the trainers, the training material, all of that stuff goes through Kaco and sort of the cyber AB working as one unit in this ecosystem to try to help all this. So right now there's about 50 to 60

[00:16:01] C3PAO organizations that are qualified to do assessments. And they're all just kind of waiting at the start line for the Department of Defense to finally release their rules and get them approved and final ruled. And then the starter pistol goes off and the assessments

[00:16:16] can start happening. And that's when it's going to really get crazy. And that's all expected to happen at the end of this year, beginning of next year. Okay. Okay. So three, so three, I can't even, I'm not even going to be able to say it.

[00:16:29] Three PAOs do exist. That is a thing. And three POs are actually used to do FedRAMP assessments. And that's a whole other thing when we can talk about that if you want. Well, before you talk about that, I want to confirm that I'm getting this right. So cyber

[00:16:45] AB is a nonprofit that helps people who want to become assessors or C3PAOs. PECO is the certification body that'll do that. But they're all kind of from the same family. I think it's kind of like they're almost like swivel seats. They're two separate C3PAO

[00:17:06] or 501C organizations, but I think they're all kind of under the same building house. They all are kind of sharing resources and working together. But eventually as the assessments start taking off and a lot more money starts coming in, you're going to see

[00:17:24] that organization grow considerably because that's what's kind of holding them back right now. And that's why you saw the RP and RPO programs. I didn't really mention that, but those were like the little babies that kind of started having people with authority

[00:17:43] that the cyber AB kind of sent out into the world or just to start talking about CMMC. And it was only like, I think, a one day course or something that you could go through.

[00:17:54] It was very, very abridged, very short. But that got some people with some quality of knowledge some years back kind of getting into the program. And that also brought money into the cyber AB for them to actually start getting some cash flow in because the governor's

[00:18:07] not paying them. And so that's where the RP and RPO started coming into. And then once they got the training material and everything already matured, that's when you saw the CCP start

[00:18:17] to come in, which is now as most of the organizations take that three days to a week to get your CCP full day training sessions. Those are way more advanced. So if you kind

[00:18:29] of put in order of knowledge, a CCP would, their requirements and training is way over the RP and RPO type programs. And then the CCAs are those people that are certified to do the assessments. And there's regulations or requirements around that as well.

[00:18:44] Certified CMMC assessor. That's the only one that I've got so far. You got it. So just remember that I did get one. You got one. You got one. So let's go a little bit back. We talked about this and I said, well, we'll wait, but FedRAMP.

[00:19:05] So I've heard a lot of talk, especially we've had some podcasts with Karen Stanford, who's wonderful and knows a crazy amount about FedRAMP. So what is the connection between, which again, if you want to see more about this with Karen, we have a podcast going into

[00:19:24] the connection between CMMC and FedRAMP. But what is FedRAMP and why should we know about it going through our CMMC journey? Yeah, that's one that a lot of people get confused about. But FedRAMP, I'm probably going to murder this, is Federal Acquisition and Risk Management Program or

[00:19:47] something. Let me look. It's federal? Federal Risk and Authorization Management Program. There we go. FedRAMP. That's it. So the F is capitalized and the E is lowercase and the D is lowercase. Yeah, FedRAMP. The RAMP is uppercase. I guess they just wanted to follow that Apple

[00:20:04] style of uppercase and lowercasing things. But FedRAMP is mentioned before when NIST was having to try to create these requirements for the government. The government, after they had their standards of how to be safe and operate safely, they were high-fiving each other saying,

[00:20:22] man, we're crushing it, guys. We're doing great. We're following RMF. We're making sure that we're operating safely. But there's some cool things that non-federal governments have that we would like to use like Azure or Amazon. Those are all organizations that the government

[00:20:41] was like, we'd like to use those. Those are really, really cool. But they don't use RMF. They're not using those government standards. They're not held to that. So they tried to figure out a way that they could make sure that those standards

[00:20:54] are being held to. And so they came up with the FedRAMP standard. And so what has to happen is a government body has to sponsor that private organization. That's where you get the ATO term that's referred to. And I have no idea what ATO stands for. But basically,

[00:21:09] you have to be sponsored to then come in to be assessed. And then once you get assessed by the FedRAMP standards, and that's where the C... It's not a C3PO. It's a C3PO. It's a 3PO that will do your FedRAMP assessment. They'll assess you, you pass.

[00:21:27] There's a whole process that goes through which is different than the CMMC program. And then they'll be listed on the FedRAMP marketplace. And those are for typically cloud solutions that are out in the cloud to be utilized. And at that point, they've gone

[00:21:42] through all of that requirements. Now, right now as it stands, FedRAMP is really the only standard that can be leveraged in your CMMC assessment. In other words, if you are using one of those organizations like Amazon or Microsoft's GCC or GCC-HI programs,

[00:22:05] those are basically their Azure environment that has gone through those FedRAMP processes and have been certified. And so if you're using those and they've gone through the FedRAMP, you can kind of inherit some of that and say, okay, well, we're utilizing

[00:22:20] those and it's okay because they've gone through their assessment. So that's where you see a lot of times the FedRAMP and the CMMC kind of come together is if you're using those types of

[00:22:29] tools that have gone through that. Now you don't have to have FedRAMP to do CMMC. And that's a whole other video that a lot of people have covered. So you can watch some of them. But you could use some of the tools that people use. I see.

[00:22:44] Yeah, so if you're using tools that are cloud-based, a lot of times if it's going to contain that kind of information, the auditor is going to want to know, okay, well, is it FedRAMP? Does it have data that is controlled unclassified? They want to know that. And if

[00:22:59] it does, then in their opinion, rightfully so, it's going to have to have some type of standard. And right now, if it's cloud-based, it's going to have to be FedRAMP. So that's where you see a lot of that situation where things that are trying to get CMMC client

[00:23:16] or leveraging FedRAMP to do that, but it's not required. Okay. So another thing too that, and this might be maybe a more generalized, not necessarily specific to just a CMMC journey, but I've noticed we call ourselves an MSP.

[00:23:39] And then there are also such things as MSSP's. But another one that I've been hearing recently that you've been saying is ESP. So there's three different things that I've been hearing along those lines. Can you explain those and the difference between the three?

[00:23:55] I absolutely hate them. It's just, but it's a way for you to label an organization to quickly summarize what they do. Managed service provider, managed security service provider, MSSP, and ESP is referred to as external service provider. You see the ESP in reference to

[00:24:18] the CMMC program and the 32 CFR rule that has come out over December of last year, which kind of defines what the CMMC program is. That talks about ESP's, but basically it's an MSP or an MSSP. It's their term for saying, hey, you're using an outside organization that's

[00:24:42] providing some type of technical support for all the controls you have. So for us as an MSP, we're going to help you with your patching. We're going to have to do vulnerability scanning.

[00:24:53] We're going to do your help desk. We're going to help build new machines for you and those types of things. Well, all of those types of things all fall under those standards that NIST

[00:25:02] created for how to handle and keep CUE safe. So that means we're going to have to get level two certified ourselves because we're going to be helping provide those technical controls when that client gets assessed because we're providing it. So if we're going to be

[00:25:18] providing that service, we have to make sure it meets that standard. That means we're going to have to get certified ourselves. And that's where you see that ESP come in is in that 32 CFR. You see I'm referring to ESP's. That's basically us. They're pulling in.

[00:25:32] It doesn't have to be an MSP. You could be maybe a consultant, but if you're providing technical like you're saying, oh, we'll help you in your CMMC journey, but we'll also do scans for your vulnerability. Boom, you just became an ESP. You're providing technical control,

[00:25:49] support for that. The moment you do, boom, you get hooked in. And so that's where they're trying to use that definition to help better people to understand that when you're doing those types of things, you're going to get labeled that and you're going to get pulled in.

[00:26:04] So the last one that I wanted to bring out that I was thinking of, which of course you could probably maybe say a few if I've missed any, but FCI was something that you mentioned to me.

[00:26:17] Yeah, that's federal contract information. So that's a step below of criticality of CUI. So those are- Okay. So they're similar? Well, they're similar in the fact that the government cares about them. For the CMMC program, there are three levels. There's level one, level two, and then level three.

[00:26:37] Level three is still being defined right now. The standard that they have for that is going to be based on 800-172 instead of 171. And so 172 has more controls in it. Mm-hmm. I think they said that to get ready as an organization for level two is going to be

[00:27:02] well north of $100,000, most likely a quarter to half a million to do. To get level three, you're talking multiple millions. The requirements are just much, much higher. They just put a lot more stringent requirements on those.

[00:27:19] But FCI, federal contracting information, is level one. You can just do self-assessments for that. I think there's 17 controls or something like that that's in level one. It's a very low bar to hit. And then once you've documented and recorded that you have all that information,

[00:27:40] then you know that you're meeting that level and you can receive that type of federal contract information and you should be fine. But the government may choose to audit you, but you are not going to be audited for level one.

[00:27:54] So is there anything else that I should mention that I haven't said? Wow. Yeah. I don't know. There's a lot of other tech suit type things. I mentioned CFR. That stands for Code of Federal Regulation. Yeah. You said the number 32 and 48.

[00:28:14] Yeah. So 32 is really the Code of Federal Regulations. That's their definition of the CMMC program for the DoD. And then 48, I think is 42. Is it 48 or 42? 48. 48. Yeah. And all the ones together when you start throwing them. But that one is really

[00:28:35] going to be used to be weaponized into contracts. So that's where you're going to see that start dropping into contracts. And that's where you're going to be seeing the requirement that says, oh, by the way, here's your Lord and Savior 32 CFR, which is going

[00:28:51] to explain to you everything that has to deal with CMMC refer to this. And it's going to have all of that definition and requirement that's going to go along with it. So if there's so many listening to this, that is well, I feel like there could be

[00:29:07] multiple different kinds of people listening to this podcast now. But let's say there's somebody that is an organization that has to find somebody to help them go through this, right? What would you say is the biggest things to look for?

[00:29:25] You've mentioned things like certifications, right? Like CCP, CCA. We're talking about level two certification and CMMC, right? Are those things that they need to be looking for? Do they need to be looking for a specific organization that has specific titles to them?

[00:29:43] You know what I'm saying? Yeah. I'm going to share a preference here. And it's again, this is just me preaching my opinion. And it's not a hard and fast rule. But if you're going to be working to get to level two

[00:30:01] certification, let's just say that you're going to have to do that because you know you're going to be taking that type of information in. I would work with a C3PAO. You could work

[00:30:11] with a CCP or CCA and that's fine. But what you want to know is you want to know how many assessments have you gone through? What's been your experience in this? What's been your experience in that ecosystem? Because it's a considerable amount of money

[00:30:27] to go through to get level two assessed. And like I said, their approach to it is not kind. And if you don't meet it as met, buddy, you'll see again in a few months. And who

[00:30:42] knows how much that's going to cost you. So there's a lot riding on this and almost didn't quite get it. And the assessor that you pick has a different level perhaps of their

[00:30:54] perspective of how kind they might be willing to be for you. So having a C3PO will help you go through it. Now, they can't do your assessment. So if you engage with a C3PO, they've now been

[00:31:06] disqualified as having to do any assessment capabilities for you other than they're just providing consulting services. They cannot give you a certification at that point. They've now disqualified themselves from participating in that. But they can still help you on your journey.

[00:31:20] And the C3POs have gone through an assessment. So in order for you to be qualified as a C3PO, you have to be assessed. Now it's not. This is a misnomer. A lot of people don't know this

[00:31:31] is if you're a C3PO organization, you don't have to, you're not going through the CMMC assessment methodologies. You're going through a NIST 800-171 evaluation. And those are definitely distinct differences between those two. A whole other video about that would probably be

[00:31:50] appropriate. But suffice it to say though, it's still an assessment and it still qualifies and helps them really wrap their head around what they're looking down the barrel of helping their

[00:32:00] clients get through. And if you are just fresh off the boat of being a CCA or CCP and you've had some experiences now as if you're a certified assessor in order for you to officially

[00:32:13] have your certification, you have to actually sit through some assessments and that's sort of being worked out. But you could pass your CCA test but not necessarily be official until you've gone through some assessments. And that's the key there is just you want to work with somebody

[00:32:29] that's got the experience. Like for us ourselves, if we're working with a company, we're going to still recommend that they partner with a C3PO or somebody and you're like, well, hey, aren't you supposed to, don't you have the knowledge? Aren't you going

[00:32:42] to help them try to do everything? I'm an MSP. That's what I do. I do help, desk support and work with my clients. That is what I have been born and bred to do and we've

[00:32:52] been doing it since 2002. So over 20 years we've been an MSP. That's what we're good at. That's what we do. And we're going to continue to do that. And the defense industrial, sorry, the DIP, the defense industrial base, that's what we're going to be doing. We're going to be

[00:33:06] continuing to do that supporting our clients. But providing comprehensive consulting for somebody and helping them fully meet all of those controls, that's a different animal than just providing managed services. It's different. That's where having somebody who's gone through

[00:33:23] that assessment and has a lot of experience in that is going to be really, really helpful. Yeah, that's great. That's super helpful. Thank you for sitting down with us for this one and answering a lot of questions about different letters and numbers and how they connect and

[00:33:39] whatnot. Which if I'm being really honest with you, I was surprised by how much they did connect when even just having this discussion today. Before I would ask the next one, you actually kind

[00:33:52] of already set it inside of the answer to the one previously. I was really picking that up as you were talking too. So that shows the importance of knowing these terms and why they

[00:34:04] connect because they do connect. And so you will probably need to know these if you are going through your CMMC journey just like us. Also, if you've got ones that you feel like we haven't

[00:34:16] covered and feel free to post if the social media that you're listening or watching this on allows you to post some suggestions and comments and things that maybe perhaps you missed. I'm not getting paid to do this. We're doing this because we have a passion for

[00:34:34] the community and we want everybody just to get better. Perhaps maybe I didn't share some things that were entirely on the nose about things. We're doing our best just like everybody

[00:34:44] else is here. And our goal here is to try to get information out as fast as we can to everybody to help them become more educated because the better and more mature we get in this community,

[00:34:54] the better and easier it is going to be for everybody to be involved. And that's a great thing. What do you always say about high tides? Raises all boats. That's right. Well, thank you guys all for listening into this podcast. We hope you enjoyed.

[00:35:08] Make sure to subscribe if you're on YouTube or follow us if you're on a podcast platform so you can be notified when we upload new episodes. But thank you guys again for just listening. We appreciate you and don't forget to keep on climbing. Bye guys.

[00:35:31] I hope you enjoyed today's episode and listen out for the next one. But until then, keep on climbing.