The Purpose Behind SP 800-172 w/ Dr. Ron Ross

[00:00:01] Hello, climbers, and welcome back to another episode of Climbing Mount CMMC.

[00:00:12] Everybody, I cannot explain how excited I am to meet Dr. Ron Ross from NIST. Sir, thank you so much for joining us today.

[00:00:20] Thanks for having me, Bobby. It's great to be with you.

[00:00:23] All right, so I was calling you, Dr. Ross, and you said that I should refer to you as Ron.

[00:00:30] I just didn't want to start referring to you as Ron, and then people come at me with pitchforks and knives because of...

[00:00:35] I mean, sir, there's a lot of respect, rightfully so, for your service because you have...

[00:00:39] I mean, how many years, sir, has it been from your Army to NSA to NIST service?

[00:00:44] I mean, it's...

[00:00:45] Well, I'm getting kind of old now, so I don't like to count all the...

[00:00:49] It's been probably around at least 40, I think, and it's going up.

[00:00:52] So I know my wife and I just had our last March, our 44th wedding anniversary.

[00:00:59] Wow.

[00:00:59] Congratulations.

[00:01:00] Those are dates, by the way, those are dates you never want to forget.

[00:01:02] There are certain things you have to be...

[00:01:04] You have to bring your A game, so...

[00:01:06] Yeah, amen to that.

[00:01:07] So, Dr. Ross, let me just open up first with just sort of asking this question of, like, the day in the life of Ron.

[00:01:15] You wake up in the morning and kind of either go into office or...

[00:01:18] Because you guys have such a high cadence of release of documents.

[00:01:22] Like, at the time of this recording, 800-172 in the proposed just got released.

[00:01:27] And so I'm sure you all have to have a lot of interaction, team meetings.

[00:01:32] And I'm just...

[00:01:33] Like, I'm just really curious to kind of look under the hood about how NIST operates and how you're involved in a daily basis and how that sort of works and meeting those high, you know, deadlines that you guys are knocking at.

[00:01:44] Yeah, it's a great question.

[00:01:45] I think I work remotely now for the past couple of years, but the passion...

[00:01:52] We have a small team in this, but by all stretch...

[00:01:55] We don't have a whole lot of people doing cybersecurity compared to other organizations, but they all share a common passion for the work.

[00:02:02] And I share that passion as well.

[00:02:04] And so there's a ton of communication.

[00:02:07] It seems we're always busy because the problems in cybersecurity, they're difficult, challenging, and they never end.

[00:02:14] There's always something new to address.

[00:02:16] So we're always kind of in the mode of listening to our customers.

[00:02:19] What are their needs?

[00:02:20] What are the current challenges out there?

[00:02:22] What's going on in the world of cyber attacks or things that are coming onto our radar?

[00:02:27] So we have a lot of interaction with our customers.

[00:02:30] We have a lot of interaction with our team members.

[00:02:33] And whatever the topic is that we're addressing, we will bring the best people to the table that we possibly can.

[00:02:39] We will organize our thoughts.

[00:02:41] We'll usually put out an initial draft.

[00:02:43] You mentioned the 172 this morning.

[00:02:45] We dropped that publication.

[00:02:47] And then our customers get a chance to look at our best effort.

[00:02:52] And we never stand on ceremony.

[00:02:54] We read every public comment that comes back in on every document.

[00:02:58] We take every one of those comments seriously.

[00:03:00] You never know when you're going to get the next great idea.

[00:03:03] And you have to have broad shoulders.

[00:03:05] Sometimes people criticize and there's legitimate criticism.

[00:03:08] And that's part of our job is to take all the comments, good and bad.

[00:03:12] That's my next question.

[00:03:14] That's my next question.

[00:03:15] It's like dive into that.

[00:03:17] I really want to know about that.

[00:03:19] Yeah.

[00:03:19] Sometimes over the years, people complain about the size of the publication.

[00:03:23] There are too many controls.

[00:03:24] And everybody's got their perspective.

[00:03:27] And, you know, when you're sitting where I am and you're developing publications, you're doing that from a perspective of the developer of the pub, the standard of the guideline.

[00:03:36] But on the other end of that, on the other side of that coin is an organization.

[00:03:39] Our people, they have to implement standards and guidelines.

[00:03:42] So one of the first things that you have to learn is the difficulty of implementation because that's where the rubber meets the road.

[00:03:50] And you're developing a standard or a guidance document.

[00:03:54] Some of the things in there, they're a little bit too difficult.

[00:03:57] They're too much.

[00:03:58] They can't be implemented just like you thought they could be.

[00:04:01] So you get feedback and then you do some tweaking.

[00:04:05] You make some adjustments.

[00:04:06] And you try to balance having good security, which you know you have to have to do the job to protect the information, the systems.

[00:04:15] But you also have to balance that with implementation.

[00:04:17] There are costs, schedule, performance issues, which every program manager is aware of.

[00:04:22] So it's that delicate balance that you have to strike.

[00:04:25] And we try to do the best job we can at that.

[00:04:28] Sometimes we hit it right on the mark.

[00:04:30] Sometimes we fall short, but we always are open to course correcting.

[00:04:34] And so every document that we produce, it's never really done.

[00:04:38] It's always going to be subject to the next provision.

[00:04:41] And why is that?

[00:04:42] Because the world is constantly changing.

[00:04:45] There's new threats.

[00:04:46] There's new technologies coming about.

[00:04:50] You're getting new people in the organizations.

[00:04:52] Everything is dynamic.

[00:04:53] And the primary focus on every organization, small, medium or large, government or private sector,

[00:04:59] is on the business, on the mission.

[00:05:02] And so cybersecurity is to help that mission be successful no matter what it is.

[00:05:07] And so we play a part in that.

[00:05:09] But we shouldn't be considered the dominant factor because the mission is always number one.

[00:05:15] That applies to NASA, the Defense Department.

[00:05:18] It applies to the private sector, a Fortune 500 company or a small business who has two or three people who are just trying to, you know, bring some new technology to the forefront or start a small business.

[00:05:31] These are difficult things.

[00:05:33] And we appreciate the challenges that the private sector and the government folks have in building security programs and keeping those programs up to date over time.

[00:05:44] It's not easy.

[00:05:45] And we really appreciate that.

[00:05:47] And that's why I love our customers so much.

[00:05:49] They just they're always bringing their A game and doing the heavy lifting.

[00:05:53] We kind of already said it, but something just was released even today as we're talking.

[00:06:01] So would you be able to kind of paint the scene right now of where you are now at your journey with NIST?

[00:06:09] Well, the FISMA project, which was my love for almost 20 years, that transitioned in 2020 to my colleague Victoria Pilateri, an awesome computer scientist and engineer, such incredible energy.

[00:06:26] And she's been leading that effort now for, gosh, it's been about three or four years.

[00:06:31] The CUI project, we set apart doing this about two and a half years ago.

[00:06:37] And the goal was to update all four CUI publications.

[00:06:41] And we call them a series now, 171, 171 Alpha, 172, 172 Alpha.

[00:06:49] And so we're halfway through that.

[00:06:52] And when I finish these last two documents, that'll be my last official work on the FISMA side of the house.

[00:06:58] And then I'm going to turn my attention to what I've been doing kind of part time for the last eight years.

[00:07:04] Is this actually 10 years, the security engineering work?

[00:07:07] And I'll share a little bit about that.

[00:07:09] That's a whole new world of cybersecurity and security engineering that is largely untapped today.

[00:07:16] And that's where the future, I believe, is going to be for, you know, getting to where we want to be as far as being protected and well protected across the critical infrastructure and things that matter.

[00:07:26] But so 172 came out today.

[00:07:28] And this is, if I would describe 172, it's kind of adding to the foundation of 171.

[00:07:35] 171 is kind of the concrete foundation of how we would like to protect controlled-to-class information from a non-disclosure point of view.

[00:07:43] That really was tied back to the executive order of 2010, which focused on unauthorized disclosure of CUI.

[00:07:51] And, of course, NARA was building that whole CUI program for the past decade, coming up with the 82 categories and subcategories of CUI, how much protection that information was going to have.

[00:08:06] They chose the moderate baseline and 853 on the federal side.

[00:08:10] And then we decided that the private sector, when the information went over the fence from public sector to private, we had to have some kind of equivalence.

[00:08:19] And that became the 171 document.

[00:08:22] Like all documents at NIST, they're guidance documents until they go into a regulation or some kind of a government-wide policy.

[00:08:31] And that's what's happening with the 171.

[00:08:34] I call that weaponizing.

[00:08:35] Weaponizing.

[00:08:36] I use that all the time.

[00:08:37] I love that term.

[00:08:39] I think it's so eloquent.

[00:08:40] I'm sorry.

[00:08:41] It's just what happens.

[00:08:43] And every agency, you know, can do that on their own or they can, the OMB can do it as part of the OMB policy set that they are responsible for.

[00:08:51] But our job at NIST is not about policy.

[00:08:54] We're about developing the best technical standards and guidelines we possibly can.

[00:08:58] How they're used by federal agencies will be part of policy, regulations, and those kinds of things.

[00:09:05] And so the 171 had to get updated because obviously 2015 is a long time ago and things change.

[00:09:14] And so the new 171 that you saw back in May and the 171 Alpha, it's part of a two things are happening.

[00:09:22] There are two very important things.

[00:09:23] Number one, we decided to transition the language in all of the 171 pubs in that series back to the source language of 853.

[00:09:33] We did that because it became too confusing.

[00:09:36] We had two sets of language out there and people were having difficulty.

[00:09:40] The requirements in 171, the 2015 version, Rev 2 as you see it now, they're stated at a very high level.

[00:09:47] And sometimes that can lead to very different implementations.

[00:09:51] It can confuse assessors.

[00:09:53] There's really no kind of convergence on, you know, what the requirement really ought to do or what the assessors really ought to focus on.

[00:10:00] So you're seeing a transition now from Rev 2 to Rev 3 back to the source language coming from 853 to Rev 5.

[00:10:10] And the other big thing is we had to update it.

[00:10:12] There are lots of things that have happened since 2015.

[00:10:16] So you've got to look at the threat space, the threat landscape, the types of cyber attacks that are going on, how the technology, all of those things that have changed.

[00:10:25] That's what drove the revision 3.

[00:10:28] And then, of course, we had to have the assessment procedures in lockstep with that new Rev 3.

[00:10:34] And that's what drove the 171 Alpha Rev 3 as well.

[00:10:37] That is what I call the concrete foundation of the next generation CUI security requirements.

[00:10:45] Now, whether you're in Rev 2 or Rev 3, it's a heavy lift either way.

[00:10:51] It's up to the agencies.

[00:10:53] The OMB policy is you have one year to implement any new NIST standard or guideline.

[00:11:01] And if it's a new system, you've got to do it right away.

[00:11:04] If it's a legacy system, you get a year.

[00:11:06] But there are always special considerations.

[00:11:09] And the DOD has their own policies and DFARS and all of those things.

[00:11:14] There's the FAR that's being built right now as well, the 170, for that community.

[00:11:19] But however the transition happens, it's going to be an orderly transition in the context of the federal agency that has to actually oversee all that work.

[00:11:29] And it's a tremendous responsibility.

[00:11:31] So now we're in 172 territory, and that's a whole other story.

[00:11:35] What you do and your team does is so critical.

[00:11:38] How do you keep relevant in that knowledge so that you can continue to evolve?

[00:11:46] Like, you know, I think the Rev 2 to Rev 3 evolution for 171 is beautiful.

[00:11:52] And you guys do such a great job of that.

[00:11:55] But how do you stay relevant knowledge-wise with those things that are happening on a day-to-day basis?

[00:12:01] Well, that's a full-time job in itself.

[00:12:04] Yeah.

[00:12:06] One of the things you learn over the years, I've learned, is that you have to be a life learner.

[00:12:10] Never stop learning because there's always something new that's going to surprise you and may influence what you've done before or what you're going to do in the future.

[00:12:19] And so that's kind of what you do.

[00:12:21] You have to talk to lots of people.

[00:12:24] One of the things we try to do all the time is talk to your customers.

[00:12:27] You know, what's on your mind today?

[00:12:29] What are some of the things that you're going through that is a difficult and challenging problem for you?

[00:12:35] Is that problem because of something in one of our NIST standards or guidelines?

[00:12:40] Is it something that we can do a little better on our side?

[00:12:43] Because, you know, our job is to help people build good, solid security programs that they can defend themselves.

[00:12:52] But that's a broad swath of responsibility.

[00:12:56] The implementation is everything.

[00:12:57] And those day-to-day problems that people encounter is invaluable, hearing what their concerns are and then taking those back, looking out at what the threat space looks like, too.

[00:13:07] What are the new types of cyber attacks?

[00:13:09] What are you able to learn that's going on below the – I call that behind the green door, you know, where the intelligence community or the deity is sharing certain types of things that they're seeing.

[00:13:21] The types of zero days that are popping up on the radar in greater frequency.

[00:13:28] Why is that?

[00:13:29] How can we do a better job of not keeping that attack surface so broad and so robust that the adversaries have – it's like a buffet for them to come in and find that next zero day.

[00:13:41] So it's just keeping that aperture open as far as you can and taking in everything and then trying to make sense of it all and then seeing with what you've learned today, should we use what we learned today to make any course corrections on any of our standards or guidelines?

[00:14:00] And that's kind of how things roll all the time.

[00:14:03] You know, a lot of people don't realize this, but even though we have a public comment period and even though a document gets published and final on our website, we continue to get comments all the time from people.

[00:14:15] And it's not part of an official public comment cycle, but we just file those away.

[00:14:21] We read them out of band, out of cycle, and we file them away.

[00:14:25] And then they stack up.

[00:14:27] And so when the next revision of 172 or 171 comes about, the first thing I do is I go into that bin and say, what kinds of things did people tell us over the past year?

[00:14:37] That's cool.

[00:14:38] And so – and you forget about some of those emails that you received and what the problem was, but you bring them out, you refresh them, and then those become some of the drivers for the changes in that next generation standard or guideline.

[00:14:53] And so, like, are you having – like, have you this month or, you know, this year had those types of conversations that you're like, I'm definitely putting a pin in that.

[00:15:03] You know, I want to circle back around.

[00:15:06] Or maybe talk with Vicki or someone else in the organization to pass the baton in that conversation.

[00:15:12] Has that happened this year with you that you feel comfortable sharing?

[00:15:15] Well, it always happens.

[00:15:16] And that kind of ties into, you know, some of the things that Vicki's doing as far as the – you'll notice now that our content over the past 20 years has been delivered in PDFs on the website.

[00:15:28] As things get bigger and more complicated, that's a problem sometimes because you want to have documents that people can internalize.

[00:15:36] They can get their arms around.

[00:15:38] So, one of the visions that Vicki had, and this started a little bit before she took over, and she's, you know, really gone on steroids now, is to develop what we call the CPRT website.

[00:15:49] That's the online version.

[00:15:50] I love that.

[00:15:51] That is so cool.

[00:15:52] I love that.

[00:15:53] And you're seeing all the documents now transition.

[00:15:55] So, you can hit that website and go to any control, any assessment procedure, any requirement in 171, and eventually 172.

[00:16:02] And it's online.

[00:16:03] Now, this is good just from a content delivery perspective, but the other thing, the other side of that coin is how does a standards organization maintain its relevance in the modern era when standards traditionally are very slow and cumbersome processes?

[00:16:22] If you're working on international standard, you got X number of countries and committees and there's time and it takes a long time.

[00:16:30] But how do you react to an ongoing cyber attack where there's a new threat that pops up?

[00:16:36] This happened to us just, I think it was during this last year.

[00:16:41] And there was a problem.

[00:16:44] We developed a, we call it a beta control.

[00:16:46] Vicki put this new control.

[00:16:48] It was in the INA family.

[00:16:49] I think it was either IA 13, if I recall.

[00:16:52] We put a new control, draft control on the website.

[00:16:57] And we let people look at it almost in real time or near real time.

[00:17:00] And you get comments back on that.

[00:17:02] And then when the comments are closed out, it allowed us to go back and lock that control down and do kind of an interim update to 853.

[00:17:10] So instead of waiting five years between Rev.

[00:17:13] Rev. 5 and Rev. 6, you now have the ability to react to ongoing threats or different things that are coming about.

[00:17:21] This is what I would consider a dramatic change in the content delivery mechanisms that NIST is going through.

[00:17:29] And also the reaction time in bringing, I'll call them quasi standards and guidance because it allows you to be flexible and dynamic in bringing content to your customers in a way that can react in almost near real time to those problems.

[00:17:46] So, you know, is that the ideal way to develop a standard where you get everybody, you know, across the globe to comment on it?

[00:17:52] No, but it also it gives you enough time to do a meaningful comment period analysis and reflection and getting, I call it the greatest thing that NIST has is the sunshine that shines from a globe of people that can look at our stuff on the website and provide their perspective.

[00:18:12] This gets back to your original comment in question about sometimes you get that one comment that is so profound and so impactful that it goes right into the document as part of that initial draft.

[00:18:26] It's happened, you know, many times over my career.

[00:18:30] And, you know, when that person ends up seeing that in the document, it's I can just imagine how it is on the other end and say, hey, I just thought that thing went into the black hole, you know, never came out.

[00:18:39] No, it actually went into the black hole and came out in this publication.

[00:18:43] That's how that really reflects how impactful our customers can be.

[00:18:50] Oh, yeah.

[00:18:51] Well, I mean, I saw that in 172.

[00:18:53] I mean, and once I mean, 171, when when when you guys came through the different revisions, like you could you saw like certain sections just disappear based on the conversations that have happened.

[00:19:05] I mean, so it's very obvious that you all operate that way.

[00:19:09] And I think that's pretty amazing.

[00:19:11] And I.

[00:19:13] I think it makes someone feel a lot more comfortable about making those recommendations because they, you know, they know that your team is is taking this very serious.

[00:19:23] Well, 172 is now a lot of people are going to look at that document and say, wow, that thing grew three X from what it used to be.

[00:19:31] The difference is, is that, again, the same things are happening.

[00:19:34] If you think of when 172 came out originally, that was a result of some pretty nasty cyber attacks on some DoD systems.

[00:19:45] We're talking some pretty serious stuff.

[00:19:48] The idea back then was, look, 171 is good.

[00:19:50] It's designed to protect against unauthorized disclosure.

[00:19:54] It does a real solid job of baseline protection.

[00:19:57] But we're talking about nation state adversaries going after critical programs.

[00:20:03] So the CY itself is still it's at the moderate level.

[00:20:07] So it's kind of that mid-level of protection that we talk about.

[00:20:10] That's what NARA has suggested or required of the federal agencies.

[00:20:15] But one of the things we learned is that when CUI is associated with a critical program or a high value asset, it becomes a much bigger target for the adversary.

[00:20:27] Why?

[00:20:28] Because the information in that context has greater value for the adversary.

[00:20:34] So that was the initial kind of vision for the 172.

[00:20:39] Let's provide it's different.

[00:20:41] It's not a set of you have to do everything.

[00:20:43] It's like, you know, do it all and you're done.

[00:20:46] This is more of along the line of an 853 baseline in 171.

[00:20:51] And then you can add to the baseline.

[00:20:53] So 171 is kind of the baseline.

[00:20:55] And then you go into 172 and you select as many of those enhanced requirements as you need for your specific CUI in your specific critical program or high value asset that you're dealing with.

[00:21:08] And so the DOD and their first round of selection, I think, picked maybe 24 out of the 33.

[00:21:16] I hope those numbers are not.

[00:21:18] They may not be exact.

[00:21:19] But it was something in that that order.

[00:21:20] Now, today, when 172 drops this morning, we've got three times, roughly three times as many requirements.

[00:21:28] And people say, well, man, your work got a lot harder.

[00:21:32] No, it really didn't get harder.

[00:21:33] We just gave you more choices.

[00:21:35] And why are those choices?

[00:21:37] Why are they there?

[00:21:39] Because in working with the DOD, the intel community and other people who have provided us information, we know that these types of attacks now, these empirical attacks that we've seen in the wild, we've actually experienced.

[00:21:53] And also some of the things that are popping up in zero days and how the adversary is able to kind of work under the hood, so to speak.

[00:22:03] So 172 has transitioned from not just focusing on unauthorized disclosure, which is in and of itself an important thing to keep that CUI out of the hands of the adversary from disclosure.

[00:22:15] We talked about billions of dollars in R&D and how if an adversary gets your design documentation for the next generation submarine system or advanced tactical fighter, they don't need to spend that money or those number of years on doing the R&D.

[00:22:28] They just build it to the best of their ability.

[00:22:31] That gives them a strategic and a tactical advantage that puts our warfighters at risk.

[00:22:37] But now we're in the world of what happens if they get in?

[00:22:42] How do you limit the damage they can do?

[00:22:44] And now we're talking about not just confidentiality, we're talking about unauthorized modification and availability, you know, denial of service and those kinds.

[00:22:54] So 172 takes a more of a holistic view of the information.

[00:23:00] The CUI needs to be protected.

[00:23:03] And that means we have to make sure we try to keep the bad guys out, penetration resistance first.

[00:23:09] But if that fails and they're sitting, they penetrate our system, how do we limit the damage they can do?

[00:23:15] And how do we make that system as resilient as it can be so we can continue to support the mission and the things that we're trying to do?

[00:23:24] And that's what we call a multi-dimension protection strategy.

[00:23:27] That's what 800-160 is all about, volumes one and two.

[00:23:32] And you're seeing that reflected now in the 800-172.

[00:23:37] And that's where we have that picture in the publication that shows those three big chunks sitting on top of 171.

[00:23:45] One talks about penetration resistant architecture, damage limiting operations, and cyber and system resilience.

[00:23:53] That's kind of a holistic view.

[00:23:55] And it's really critical because the adversaries are relentless and they are going to do whatever they have to do to get that critical information.

[00:24:04] They're so good at that.

[00:24:05] I wish I had time to have read it before we talked today.

[00:24:11] I do want to give you an opportunity, sir, to just close us out with anything that you feel we need to discuss.

[00:24:22] Obviously, 172 came out.

[00:24:24] If there's anything that you feel that you'd like to cover.

[00:24:26] I mean, we spent some time talking about it as well.

[00:24:29] And then also your new venture.

[00:24:30] Is there any of those details you would like to cover?

[00:24:33] Well, I just want to reinforce the fact that public comment period is open now, like always.

[00:24:37] And we really, really want people to give us their feedback on the requirements.

[00:24:43] Anything that they can see to make it a stronger document.

[00:24:47] Again, it's one team, one fight.

[00:24:49] We're really trying to make this document as good as it can be.

[00:24:51] It will go through a final draft before it moves into final publication.

[00:24:56] Now, just as we did in 171, largely from our community telling us they wanted the assessment procedures at the same time, we struck a kind of a happy compromise here.

[00:25:07] When 172 goes into final draft, you will also see the initial public draft and actually the final draft of 800-172-alpha.

[00:25:20] So what happens is, as this document, 172, is out for public comment, we are literally today starting to build the assessment procedures for 172.

[00:25:33] And we're able to do that because largely, no matter what happens to those requirements in 172, most of the procedures, the assessment procedures will be built during the public comment period timeframe.

[00:25:45] So when we get the feedback from the community on what they're looking at in this initial public draft of 172, we'll be able to tweak those requirements.

[00:25:56] And that'll end up pushing the final public draft of 172.

[00:26:00] And then we'll actually tweak the assessment procedures, which are now 172-alpha.

[00:26:05] So on that next drop, sometime in 2025, probably I would say maybe the second quarter of 2025, just in rough estimates, you're going to get both documents out at the same time.

[00:26:19] And then when we go final on both publications, we'll make the final course corrections on 172 and 172-alpha at the same time.

[00:26:28] And then that'll be locked down.

[00:26:30] And it'll be there for not eternity, but it'll be there until the next revision cycle, whenever it is.

[00:26:36] Dr. Ross, is there anything that, like if someone needs to connect with you on LinkedIn or things like that, is that a good way for them to ask as well as the 172?

[00:26:46] Yeah, anytime you can come directly to the NIST, my email at NIST is a good way.

[00:26:51] My cell phone is always on and LinkedIn is a great way to make those connections.

[00:26:56] So anyway, they feel comfortable and hopefully we'll answer questions and take them to the next step.

[00:27:02] Right.

[00:27:03] Well, thank you guys all for listening, all the people who are listening either on a podcast or on YouTube watching this.

[00:27:10] We appreciate you tuning in and obviously we appreciate Dr. Ron Ross stepping into this space and sharing his journey as well as where he is now and where he's going to be in the future.

[00:27:22] We're thrilled to continue to follow him and his journey as well.

[00:27:26] And we hope you guys enjoy just even just a little bit of a hint of what he's been able to do and what he's going to be doing.

[00:27:33] So thank you again for watching.

[00:27:36] Make sure to follow us so you can stay up to date on all the latest news and tune in next Thursday for our next podcast episode.

[00:27:43] But until then, guys, keep on climbing.

[00:27:46] See ya.

[00:27:48] Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.

[00:27:54] We hope you guys enjoyed today's episode and listen out for the next one.

[00:27:58] But until then, keep on climbing.

[00:28:00] Bye.

[00:28:00] Bye.