What is Security Protection Data and Assets?

[00:00:00] Welcome back climbers, I'm your co-host Kaley Floyd and this is another episode of Climbing Mount CMMC.

[00:00:11] In today's episode we're joined by Karen Stanford. Karen is a seasoned cybersecurity professional with over 20 years of experience.

[00:00:19] She is the president and founder of Arstom Security and she also has the CMMC Provisional Assessor Certification.

[00:00:27] She has extensive knowledge on conducting Fed Ram assessments and we are so excited to dive into the topic.

[00:00:33] What is security protection data and assets? So without further ado let's get into today's episode.

[00:00:41] Karen let me first start off by saying like you know what's kind of controversial when it comes

[00:00:46] to security protection data and what is it? Sure so I think it's you know in general it is the

[00:00:52] announcement that this is going to extend you know the boundary what they have recently decided is that

[00:00:59] your CMMC boundary needs to include security protection data even if it's not within your environment.

[00:01:04] So this would mean that if you are doing monitoring with a third party security operation center and

[00:01:10] you are porting all of your data over to their data center that their data center is now in the CMMC

[00:01:17] boundary and needs to be subject to the same requirement so your choices would be either to work with

[00:01:22] a security operation center that has an existing CMMC accreditation or a practice Fed Ram

[00:01:29] and or they need to get accredited themselves. So that is it's you know a lot of organizations in

[00:01:38] the DIP currently relied on managed service providers to help them do what they don't know how to do

[00:01:44] and so this is bad news for all of them and that it is now extending the boundary into their environment

[00:01:48] and they might need to be accredited. So a lot of the wisdom I think that people were thinking about

[00:01:53] is okay I'm going to get into CMMC right and when I get into CMMC I can start using other partners

[00:01:59] or vendors and as long as they're not specifically completing controls that involve collecting

[00:02:10] CUE they can they can they can participate and help like a sock like you're saying so they can

[00:02:16] look at your sim and those types of stuff but once they put this security protection data label

[00:02:21] on that type of data as they ingest it now they have a responsibility which I think is what

[00:02:28] everybody's kind of getting pretty up in arms about. Yeah there's definitely some concern so

[00:02:33] so this isn't a surprising move for me in that that occurred for FedRAM already and the concern

[00:02:41] from the parts of the Fed so that some of the data that is being exported has great interest to

[00:02:48] adversaries you know if you are ingesting audit data if you are managed service provider and

[00:02:53] you're ingesting audit data for a CMMC environment that shows that FTPs enabled on a host

[00:02:59] that's public facing then that and you know what people are going to have interest in that data

[00:03:03] it can be used to exploit the system so that's the concern. So let's first kind of talk about

[00:03:09] what security protection data is from the perspective of FedRAM because that's all we have to go on

[00:03:14] at this point we're assuming we're going to model after FedRAM so that's typically going to be any

[00:03:19] audit or event data and then you're also going to have any vulnerability scanning data if you're

[00:03:26] using vulnerability scanning as a service and that your data is living in their environment then

[00:03:31] that's going to extend the boundary into their environment under this new you know interpretation of

[00:03:35] the guidance. So do you feel that I mean that that is going to be a bit of the lens

[00:03:42] that that DOD is going to look through when they're talking about this through FedRAMP and

[00:03:46] their experience and utilization of how they did it there? I think so you know I think that the

[00:03:52] risk is the same for both you know it's that there is this is security related data that shows

[00:03:57] security vulnerabilities and it's not in a protected environment so I do think that will be how

[00:04:04] they do it for me it's a bit of a you know a bit of a disappointment in that you can you know

[00:04:11] you're going to get more effective monitoring from someone who does it for a living then being

[00:04:15] concerned about your boundary extending into those additional networks and then opting to keep

[00:04:21] it in house where you don't know what you're doing. There's kind of a trade-off but I do understand

[00:04:28] the risk that the federal you know the federal entities are trying to address with this. Yeah I agree

[00:04:33] it definitely makes sense but if I look correctly from wrong through 8171 and 171A and I look at the

[00:04:44] NARA I don't see anything about security protection data until the proposed rule dropped and then

[00:04:51] you know all of a sudden here's this thing that they're talking about it makes sense but boy did

[00:04:55] it seem like a right cross out of nowhere. It did I think especially for anyone who was not

[00:05:01] you know in the FedRAMP space where it was a big bomb dropped on to just a few years earlier so

[00:05:10] but I think the security protection data I think initially the intent was to about for FedRAMP

[00:05:16] you need to assess everything. You need to assess your Linux servers, you need to assess your

[00:05:22] Windows servers, you need to assess your network devices it's sorry you have to do the whole

[00:05:26] full control set for all of them and I think that's the you know I don't know for sure but it seems

[00:05:31] to me that the intent of creating the term security protection asset for CMMC was to say you don't

[00:05:36] need to do all of that you don't need to test all of the controls for the 8171 for your firewall you

[00:05:42] need to test you know only specific controls related to it but unfortunately I think that that

[00:05:49] is it's just kind of a runaway train at this point with people using you know what I'm seeing is

[00:05:55] people are trying to designate something as security a security protection asset so they can kind

[00:05:59] of remove it from the boundary so I'm not you know I'm not a fan of the term but I understand

[00:06:07] yeah so just to make sure those people are listening that aren't 100% in the know about this is

[00:06:13] that Kui right controlled unclassified information and security protection data they're not the same

[00:06:20] thing but there's this fear that it's going to start to become possibly the same thing but it has

[00:06:27] been utilized by the ruling and no uncertain terms as a mechanism to loop in maintenance service

[00:06:34] providers like myself so because you know maintenance service providers are trying to get in there

[00:06:40] and say okay we'll help with providing services for this company but you know we're only doing certain

[00:06:48] types of things so therefore we don't need to get level two certified ourselves but once that

[00:06:52] security protection data comes into their environment they're going to have to the way that I

[00:06:57] read the rule and if I'm getting wrong please correct me Karen but they're going to pull us in and

[00:07:02] make you know we're gonna have to get level two to match parity with who we're supporting because

[00:07:08] that security protection data is going to make us have to do that. I think that that is the correct

[00:07:15] interpretation and I think there's kind of two ways to look at it if you're a managed service

[00:07:20] provider and you are doing a lot of support for organizations that are attempting to get CMMC accredited

[00:07:27] it could be a differentiator for you to go ahead and get CMMC level two because then everyone can

[00:07:32] use you but as we've learned throughout this process it's not something that's going to happen

[00:07:37] overnight so you know it's a bit of a struggle for managed service providers to figure out what

[00:07:43] to do but one of the I think you know what I'm recommending to folks who are in that boat is

[00:07:50] to attempt to leave whatever the security protection data that they have ingested into their

[00:07:55] environment to try to put that back in your in the into their clients environment so this may

[00:08:01] consist of you know instead of porting all your auditing and monitoring or your log data into a

[00:08:06] security operation center you may want to bring that in house and have your security center

[00:08:10] analysts coming through a virtual desktop into your environment and work with it from there

[00:08:16] now that is not always feasible a lot of the tools that they need to use to conduct analysis are

[00:08:20] not in the environment so overall it's a it's a double-edged sword and that they're trying to

[00:08:26] protect the data which is of interest to adversaries however it is now kind of limiting

[00:08:34] how the Dib can protect itself you know there it's not as easy for them to to fulfill the

[00:08:39] requirements for CMMC and you touched on this Karen and I think it when we were talking earlier

[00:08:45] before we did the recording and and I think it it's definitely worth pausing and really kind of

[00:08:50] covering this a little bit more specifically is this ruling or this proposed rule is going to push

[00:08:57] a lot of people to start trying to keep the data in house and try to manage it themselves when

[00:09:03] they may not necessarily be the best qualified person to do that because of the fact that security

[00:09:09] protection data is so new from the perspective of people who are trying to get involved and get

[00:09:14] aligned for CMMC weren't quite ready for it and so it's a bear in wasteland out there as far as

[00:09:19] an organization that are fed ramp that can handle this type of data and manage service providers or

[00:09:25] MSSPs or other SOC organizations like you said that have those appropriate certifications because right

[00:09:30] now the CMMC certifications aren't happening right now so no one can say I've got it so the only

[00:09:36] other option is what fed ramp and or fed ramp equivalent and so I just kind of want to open the

[00:09:43] box a little bit to however you feel comfortable to talk about like what the risk is of organizations

[00:09:49] now having to feel like they have to keep that data local and then what does trying to go into

[00:09:54] the fed ramp space or try to look for those part or try to you know the equivalency can you

[00:09:59] sort of maybe try to make that mud a little bit clearer for us about that yeah I think one of

[00:10:04] the risks is that most of the fed ramp accredited situate you know software or software

[00:10:11] infrastructure service platform as the services center and most of that is geared towards

[00:10:15] federal technology you know it's designed for office workers who are working with data

[00:10:20] and the defense industrial base tends to do quite a bit of manufacturing so there's a lot of

[00:10:25] programs that are used heavily by the div that are that really don't have any interest in selling

[00:10:30] direct to the government you know so there's going to be my first concern with this

[00:10:36] is that there is not enough there are not enough tools that are certified for the

[00:10:41] div to be able to continue to support defense you know the department of events you know that

[00:10:46] for me is a significant concern it's kind of pulling the plug out cloud in a lot of ways

[00:10:51] you know so that's a that's a significant concern and then also I think it's you know while this

[00:11:00] did occur for fed ramp at some point they were like okay now we want you to start using fed ramp

[00:11:04] accredited you know solutions in your environment but they did that after there was enough

[00:11:10] kind of juice from you know there were some gaps but they didn't really wait to do that until

[00:11:15] there were products that you could use and and that's another concern for me is that there's nobody

[00:11:20] right now nobody can use anything you know there's nothing that's accredited and I don't know how

[00:11:24] that works with the chicken in the egg you know because I don't know that you can get you know

[00:11:29] assessed under the joint if you're a you know you need to have a contract with the with the government

[00:11:34] you need to be a prime or or a sub and a lot of these folks aren't going to be able to do a joint

[00:11:39] surveillance to get accredited for CMMC because they don't have you know the means and so

[00:11:45] there's a lag in being able to implement all of this that I think that nobody's considered

[00:11:50] and I think that's going to cause some problems. Well with with organizations starting to pull stuff

[00:11:55] in just for us because you know we decided last year early last year that we were going to

[00:12:01] go ahead and try to be one of the first over the hill to get level two certified ourselves

[00:12:05] but we made some assumptions about some cloud options that we might have available and once

[00:12:10] we started seeing stuff about security protection data we were like oh man this is not going to work

[00:12:16] you know we had to we started to have to pull some of this stuff in house we started having to look

[00:12:21] for vendors that do allow for hosting options which you know circuit four years ago everybody thought

[00:12:28] was just old school everybody's going cloud nobody's doing that now now with this rule it seems

[00:12:33] like everybody's like okay self-hosting is back on the table again folks and we need to start doing

[00:12:38] that but you know for me it was a challenge about education and trying to make sure that our team

[00:12:44] is ready to handle the requirements because it wasn't something that we were really good custom to

[00:12:49] doing and it's a challenge for us and I can only imagine how it would be for organizations that

[00:12:55] that are trying to do it themselves can you speak to that and how that might either help or

[00:13:00] security yeah so I think that one of the first things that folks are going to need to think through

[00:13:07] is AM well you know with respect to cloud is what I'm using actually a cloud service I think

[00:13:13] that we are seeing some evidence that folks don't really understand that they're like oh my god

[00:13:18] you know I need to have a fed record accreditation you know because I'm you know I have all of my

[00:13:23] whole all of my system components are hosted on a cloud service provider well that doesn't make you

[00:13:28] a cloud service provider you know there's what what you really need to think about is of your client

[00:13:34] stated that could be considered sensitive where does it live and how can I make it to not live

[00:13:39] there so if you are doing vulnerability scanning and right now you are jumping into an environment

[00:13:45] and conducting the scans pulling the data over to your environment and analyzing it just do that in

[00:13:50] their environment that's an easy one that's that's a relatively easy fix but you know it is going

[00:13:55] to be tough the first thing to do is figure out are you cloud if you're attempting to you know

[00:13:59] figure out if you wanted if you need to do veteran are you cloud and then also where does the data

[00:14:04] live and can I make that different so for for us as a manager's provider we're going to be

[00:14:12] having some of those tools that are going to have security protection data in our gcc high

[00:14:17] environment and that will all be part of our assessment when we get assessed ourselves so when

[00:14:21] we get level two certified that will all be included in in our assessment process is that in your

[00:14:27] opinion an option for people to who can still participate without having to go with the whole fed ramp

[00:14:35] process for them yeah absolutely I think that you know absentee ability to immediately become

[00:14:41] accredited which nobody has right now you should just we should prepare for it you know you

[00:14:45] should assume that if you are if your objective is to host data from folks who are going for CNM and

[00:14:51] C level two or level three or whatever is for you to become accredited at that level and to start

[00:14:55] to work towards that end so that's I think the way to go you know with respect to getting prepared

[00:15:03] right now for vendors that may not necessarily be that easy right because they have

[00:15:10] build levels and revs and things that they're trying to track and trying to get a whole product

[00:15:16] line to go through a level two certification but alone fed ramp is not going to necessarily be an

[00:15:22] easy thing for them it's not and what I recommend is for you to understand where that federal data

[00:15:30] that's of concern and this would you know this would you know probably be audit log data any vulnerability

[00:15:36] data you know anything to do with any security state in your in your environment your first thing

[00:15:42] is to understand where that lives and to try to to the extent possible you know to consolidate

[00:15:49] that all into one CUI boundary because some of the managed service providers are not just doing

[00:15:54] that that's a piece of what they're doing for everyone else so you want to create a little tight

[00:15:57] concise environment with as little in there as possible to be able to serve your customers and

[00:16:02] then to make that compliant yeah I think we earlier we had west on our our show and he talked about

[00:16:09] with vendors making sure that they knew about what they were collecting so if that type of data

[00:16:15] that they're collecting falls in there is there a way for them to disable that if they can

[00:16:20] and they can prove that they're not collecting that type of data then now you start looking like

[00:16:24] an option that could be available for someone because they have evidence to prove they're not

[00:16:30] collecting that type of data and they can participate which would be great because we need a lot more

[00:16:34] options than we've got right now right you know currently I don't recommend any tools but I do

[00:16:39] recommend that you understand what you're ingesting of your clients whether it's security protection data

[00:16:45] and you know with an interconnection security agreement to clearly delineate whose responsibility

[00:16:53] for example if you are transmitting data over to a managed service provider are you the you

[00:16:58] know the organization that needs a CMMC accreditation are you providing that encryption or are they

[00:17:04] so you need to really lock in what you're doing with respect to the data exchange and understanding

[00:17:10] where that data lives and then you need to clearly delineate when you have a contract with anyone

[00:17:15] who's in this boat you know anyone who's seeking CMMC accreditation or doing federal work of what

[00:17:21] they need to do you know you need to kind of absolve yourself of any risk if for example something

[00:17:28] is seized in transit or man-in-the-littal attacks something's taken in transit whose job was it to

[00:17:34] maintain that connectivity so you need to understand who's doing what and then you need to make sure

[00:17:38] the customer understands what they need to do so with that is that more like a shared responsibility

[00:17:44] matrix where that's kind of outlined it could be but you know that's not I think if you were to go

[00:17:50] to the CMMC route then you wouldn't have one anyway you know but there's you know

[00:17:56] you could also accomplish something similar through an interconnection security agreement just

[00:18:00] in understanding of who's controls do what but I think a security control responsibility matrix

[00:18:04] that you provide for your service you know whoever you're working with would be a great idea

[00:18:08] okay um all right so let's switch gears here if you feel like is now a good time to switch

[00:18:14] to security protection assets you've you've touched on a little bit uh security protection data is

[00:18:21] is is kind of the new kit on the block of controversy but security protection assets people were a

[00:18:28] little bit surprised when they looked at the scoping guide and they're like what the heck is this

[00:18:32] is it just appeared in the scoping guide correct um yeah can you can maybe try to draw some

[00:18:39] um some things based on your fed ramp experience about security protection assets uh because first

[00:18:48] off let me just ask is is there such a thing in fed ramp as far as in the delineation or such

[00:18:53] as something exclusive to CMMC okay and I'm not you know the biggest fan of the term just

[00:18:59] because you know I think to back up to what my my interpretation of the intent was

[00:19:04] is that in fed ramp when you do an 853 assessment you need to test all of the controls for all

[00:19:11] of the components so that would mean that if you have windows components in your environment you

[00:19:15] need to do the full scale of 8050 degree testing or you know what's relevant obviously some don't

[00:19:19] matter but you need to ensure that you're all the controls relevant to a technology are tested by OS

[00:19:24] by platform by component type etc so because you can't do a background check on a firewall right

[00:19:30] now exactly yeah that's not going to work but uh I think the intent of the creation of this term

[00:19:38] was to say we don't we aren't doing that here in CMMC you only really need to care about for

[00:19:44] example the firewall and the context of it being a boundary protection but device or providing

[00:19:48] your VPN or serving as that external perimeter um and to test it from that capability so I think

[00:19:56] they created the term with good intent but I think that what is happening what I'm seeing happen

[00:20:00] is because now the rules state that you don't need to do as much for things that are security

[00:20:06] protection assets or that have security protection data that people are trying to shoehorn anything

[00:20:11] that's like not fits compliant or whatever into that category so they can so they can kind of opt out

[00:20:18] as sort of the controls that aren't being met and so for me that's the concern with this term is

[00:20:24] that it's being used to try to carve things into a different bucket where they don't necessarily belong

[00:20:30] yeah because you've got CMRAs you've got security protection assets and then kui assets which

[00:20:35] we're all going to have that exposure and there's some others like specialized assets but the

[00:20:41] the SPAs to me seem to create the most amount of frustration especially as I was kind of trying to

[00:20:48] get my head wrapped around it and I've almost just started taking the attitude as I'm just

[00:20:52] treating it almost like a kui asset from the perspective of if it's a Windows asset I'm going to

[00:20:58] I'm basically applying all possible policies and types of you know technical controls to limit

[00:21:07] in go through and accomplish every feasible way of applying controls that are relevant obviously

[00:21:15] I can't do a background check on a domain controller but or you know do I mean there's certain things

[00:21:23] obviously it can't do but we're going through it but when I read that scoping guide and have

[00:21:30] looked at it it seems like there's almost no distinction between a kui asset and a security

[00:21:37] protection asset I don't want to get into dangerous waters but can you give us a little bit more

[00:21:42] examples of what a security protection asset might be in a real world environment that would

[00:21:48] be labeled that way so for me a security protection well yeah I'll answer that and then I'll

[00:21:55] I there's another piece I want to address but yeah a security protection asset would be something

[00:22:01] that is necessary in the environment for you to fulfill all the security control requirements

[00:22:05] for the framework but they are saying to you know we don't want to go full scale on this we don't

[00:22:10] need to test everything so typically what you'll see for security protection assets are things like

[00:22:17] firewalls VPNs your multi-factor your your audit log data if you're using a sim

[00:22:25] if you are doing vulnerability scanning anything like that anything that is security related

[00:22:29] data or anything that is a tool that is providing a control within the framework they're saying

[00:22:35] this must be in your boundary but we don't need to do the full scale testing on it so those are

[00:22:41] the most common things that you'll see but I will say one of the things that you you know this is

[00:22:46] kind of how we do it in federity so the areas in which these come up the most would be well let me

[00:22:55] say how you can simplify it I guess if you were using some sort of federated or single sign on

[00:23:00] capability for all the components in your environment then when you test access controls you are

[00:23:04] testing those components access controls you know as long as they are integrated with what you

[00:23:09] already have if you're forcing multi-factor for everyone who comes into the environment then

[00:23:13] you're testing that in AC you don't need to look at it differently but for the most part where

[00:23:19] you're going to want those things to be doing compliance CMMC things is for your user log into them

[00:23:27] for all the password policies that are pushed to them if there's audit data coming out of those

[00:23:32] components that's going to matter as well as how are you managing these are you patching them

[00:23:37] are you scanning them etc so if you have an enterprise approach to those three capabilities

[00:23:43] then all we really need to care about for your security protection assets is are they working

[00:23:47] as intended to provide the requisite controls so is your firewall actually you know protecting your

[00:23:53] perimeter is your VPN actually being forced for everyone and you know functioning is intended in

[00:23:59] FIFS mode etc so you know I think that's the best way to look at it is to have enterprise management

[00:24:05] over all the components to the extent possible and at that point you can kind of relax and just

[00:24:10] think about that component from the perspective of is it doing what it needs to so if you're doing

[00:24:16] the more enterprise scoped assumed controls like patching and those types of things a lot of that's

[00:24:22] going to be covered actually so yeah and so you know that's one easy way to look at it is

[00:24:29] it's easy for you to say I only want you to focus on firewall for the firewall controls is

[00:24:34] if you have the rest of that under you know in scope that everything every change you make to your

[00:24:39] firewalls going to get through the same change control process that you have if all the users are

[00:24:43] provisioned the same way if they you're forced to do multifactor etc that's the easiest way to

[00:24:48] kind of isolate a security protection asset for what it needs to be gotcha Karen thank you so

[00:24:53] much for joining us today but I wanted to give you an opportunity just to kind of share some things

[00:24:57] that you're doing and sharing content you know either way that we found you as through

[00:25:03] their great posts that you've been doing on LinkedIn and comments and questions because I've thrown

[00:25:07] out a lot of questions and you've shot so straight with me and given me some of the best clarity

[00:25:12] on some very controversial things when most people just want to keep their mouth closed because they didn't

[00:25:16] want to get toasted but you kind of stepped out into that space and shared some things and were

[00:25:21] you know a little fearless about getting trolled on some of that stuff and I just I think you have

[00:25:25] great content and I just wanted to give you an opportunity to share some things that you might

[00:25:29] be doing and sharing out there yeah I'm actually about to I think one of the one of the concerns that

[00:25:36] I think the the defense industrial base in the CMMC folks are dealing with this is federated

[00:25:41] equivalency memo so one of the things that I'm about to launch is an 853 it's a it's a YouTube

[00:25:47] series called NIST Control Freak and in it I'm going to discuss all of the 853 controls how

[00:25:54] you will assess it how can you interpret it how can we implement it pitfalls as well as how

[00:26:00] can you actually assess it so I think that this is it's just one of the things that I felt like

[00:26:05] in my career I had to do the most of when people ask me questions it's usually how do I test

[00:26:10] a specific control or this is what I'm seeing how how does this affect the interpretation of

[00:26:15] the control so I'm trying to get that knowledge out there so folks know because it's you know

[00:26:20] I've collected it over 20 years and it's been through a lot of you know let a high end

[00:26:24] organizations where I'm pretty sure that my interpretation at this point sinks with the rest

[00:26:29] of federal government so I'm trying to share that out with folks wow so they can help implement

[00:26:34] because I've worked forever in the the federated advisory space helping folks get federal accredited

[00:26:39] so they can help implement and they can also learn how to test and to be prepared for their own audit

[00:26:46] so with CMMC there's 320 assessment objectives with FedRAMT like how many total sub objectives

[00:26:57] if you added them all up for for FedRAMT to moderate well what would that be?

[00:27:02] Well they just put the Rev 5 out and you know there's a different control count used to be 325

[00:27:07] controls for a FedRAMT moderate baseline but you have to understand that within that there are

[00:27:11] sub parts right now so I mean and then you also have to layer on the fact that FedRAMT makes

[00:27:17] you do it at the perhaps at the OS level you know so there have been times in doing a FedRAMT

[00:27:23] assessment where the number of test cases I was doing was well over 3000 so yeah it's a little bit

[00:27:29] different. It's definitely on hardbed. I can't wait to see that and go through

[00:27:37] I'm sure that's probably going to be perhaps several years if you're trying to go through

[00:27:42] however some of you know because it's like by the you know I'm concerned about the revisions

[00:27:48] yeah I don't want any my content to go stale but just pull it off and put out a new one I guess.

[00:27:54] Well you know I think the connection between CMMC and FedRAMT is critical to understand

[00:28:01] and having that content out there would be massively helpful. I am not very savvy when it comes

[00:28:08] to the FedRAMT aspect so and that's why we're going to have you back on the show just to talk about

[00:28:14] in our next podcast about kind of the connectivity and the the commonality and the differences

[00:28:20] between FedRAMT and CMMC there's a lot of connectivity between them and there's also a lot

[00:28:26] of differences just as we were talking about you can kind of see that very clearly and so

[00:28:32] for if you guys are just tuning in to this podcast go back and look at some of the other things

[00:28:37] that we've done and also make sure you pay attention to Karen's next one that's going to be coming

[00:28:40] up that we're going to be talking about those connectivities because I think it's super important

[00:28:44] for you to understand if you're doing the CMMC journey to really have a good understanding

[00:28:48] of how they kind of connect. Make sure to follow us on LinkedIn and YouTube to stay up to date

[00:28:54] on the latest CMMC news. We hope you guys enjoyed today's episode and listen out for the next one

[00:29:00] but until then keep on climbing.