Understanding CMMC and NIST 800-171 for CUI by Peter Bagley

[Music]

all right folks we going to go ahead and kick this off a little bit first of all thank you so much for just coming out uh you can be doing a lot of other things on a Saturday but just had to hang out with us and uh hopefully you get a chance to learn a few things along the way meet some good people I always tell people when you come to something like this if you don't meet at least 10 new people you've lost a great opportunity because there's a lot of folks here right all right good deal all right so a little bit about me we're going to talk about cmmc and how that product and program

came along and why we have it here's something about me I'm a retired army guy did 21 years and got out after that then became a defense contractor still a defense contractor almost 20 years doing that um I teach for St P College cyber security I'm on company where I do cyber security assessments and uh I do mentoring and coaching as well so I just try to help people that's really what it comes down to that's enough about me here's what we're going to talk about today we're going to go through the relationship of far and defar anybody ever heard of the term far before if you work with the go oh yeah great you work

with the government you kind of have an idea what far is and then the fars and then we're also going to talk about what's called the ecosystem for cmmc it's really a whole program that has been developed and continuing to be developed so as we grow with it you'll have probably some input or be a part of it we'll look at n 800 171 and 171 Alpha talk about the differences of the two and why they work together so well we'll also look at the different types of being certified under What's called the Cyber AB that's the organizations that's been given the accreditation capability by DOD who actually owns this whole program and they're the only ones that can certify

you for certain things so we'll talk about these different certifications the um cmmc level one and two assessments those will dig a little bit into because there's a big part there that if you're going to be and you may not be right now or if you're working with a defense contractor or you decide to do any business with the government as a whole you're going to have to fall into one of these categories and that's why it's so important that we kind of talk about it and then lastly we'll talk about the uh sprs this is really a big database that holds a lot of information about your company and where do you stand as far as

how your company meets the qualifications assessment wise that DOD and cyber AB say You must meet so that's what we're going to talk about all right so here's the first piece talking about far and as you can see far is something that's been around for a while and it's a federal acquisition regulation and in this regulation it dictates pretty much anything you can think of of a company working with the federal government things you can do things you can't do requirements you must meet so initially that's kind of what they use government to kind of guide a company on what security parameters qualifications were needed because they really had nothing else which exactly what led to where we

are now so there were about 15 basic cber security controls does anyone not know the term controls okay everybody knows what controls are great they're basically like putting a band dat on that's control you're bleeding Band-Aid control right same thing all right so then we moved into this CMC CM MMC rather level one the basic far it's 17 different pieces that kind of go into that we'll talk a little bit about them and then this piece here at the bottom where we talk about the federal contract information we'll dig into that a little bit more because ultimately this whole program is designed to secure that information there which is more or less publicly given information and cui which

we'll talk about in a second and the problem was in the past the government had no Insight or control of what was going on with the people that they were Contracting out to handle their business this puts more or less a stringent regulation structure in place that they have to file so these are the 15 basic controls that kind of went into the initial piece before 52. 20421 so you have things like uh limit access to authorized users process process rather than devices what does that mean when you read that anybody go ahead what it tell you could be yeah or could just be user ID password right so sounds simple but at least it's

something and then for example provide protection for malicious code well if you are someone who does development coding that means secure the code before you send it out into the while so it makes sense but there really was no way to verify you were doing this so that's how we again keep moving on so then we move into dforce which is going into the Department of Defense same concept that far had but now it's pretty much tied to just Department of Defense so defs again is like it says Implement supplementals to the far and it kind of gets a little more in detail about things you can and can't do relating to DOD as well as the

federal government things like U you see here there are policies procedures requirements kind of lays it out a little bit more simply for you so here's the primary one that ties into what we're working with now for the cui is defar 25220 47012 here's what it says Safeguard cover defense information and cyber incident reporting so we're talking about Safeguard if I'm the government my information and if you have a problem or there's an incident please let me know that's all it's saying but it kind of breaks down into a structure so then nist anyone ever heard of n or not heard of n before okay they're the National Institute of standard and Technology they're more or less the gold standard

for making standards for it and things in security for example and they have many different types of regulations so they created this NIS SP that special publication 8171 and it says uh protect control unclassified information in nonfederal information system systems and organizations what's an example you think of a nonfederal system if you're a company that's your company your systems you're not federal they are you're trying to work with them right so that means be careful what you put on your systems that I own that's all they saying so this again relates back to far but the biggest piece about this is from the far we focus on the FCI Federal contract information this contract information is basically

something that is not catastrophic if information gets out it's public but you just want to make sure you manage it a little bit but it's still public information won't hurt anything the requirements to qualify for FCI is a little different for cui has a little more security pieces tied to the cui side this is cui control unclassified information this is what all the noise and Buzz is all about protecting this because it's used in the past it was called fouo which is merely for your information only right they decided to change that and they went to cui to build that structure a little bit more and again notice it takes a lot of things that it had in h far but it says

here information the government creates or possesses or is uh entity creates possesses on behalf of the government so if the government hires you to do something you're kind of being hired by them which really means it's their stuff you may create it develop it great but they end up with it at the end but because of that you have to protect it as though you were them everybody good Okay cool so that's what it's all about so then it says right here requiring a permit permitting ra agencies to control protect information controls for doing so which makes the information cui specifi now there's certain criterias and the 80071 speaks to this that is what describes cui

information certain levels now we're not talking and I'm sure you guys from a government perspective you ever heard the term secret unclassified top secret all those terms okay this isn't there this is below that but it's still information that put in wrong hands in the times we're in right now because we have a lot of nation state actors which are basically Korea North Korea China people like that they still want to get whatever they can from us to help do what they need to do and have Insight on what we're doing so that's why that's set up that way so here's the program started back in January 2020 and going back to like I said they

needed something to build structure with and that's where this whole thing came from it was again decided by Department of Defense they'll head it up and then they will manage it but they created another organization to do that which is called cyber AB we'll talk about them in a sec to put all this together now what happens is like it says here because we're on 2.0 right now they're working on 3.0 not out yet but probably by this time next year it'll be out so am will simplify the compliance process when you hear compliance what does that mean to any of you guys out there anybody check in the box check in the box what

box security control box security control right so what does that mean I have locks on my door that's control the book says I have to have it I got it check in the box everybody good so I am now compliant to what the government regulation basically says I need to do but there's a whole lot more than just that lock but that's what the whole concept is all about so these guys here and it's designed again as you can see for mediumsized small businesses and is security posture of the defense industrial base it's a big database that kind of says okay here are good guys we can work with because they meet our criteria and if you're not in

that database then you may not be eligible to to work with the government some form of fashion but now to kind of help get to all that that's where this comes in to help put you there so when they go look they can see more information did you meet the compliances all those type of things so this is the ecosystem of CMC so when they put this together they literally built this from the ground up it's still in its early stages which is why a lot of this is still being developed as we talk so like it says here the system is designed to decentralize programs fostering comp uh competition cost reduction for the organizations seeking certification so

the as they say here the osc's would be your companies company X company y they want to do some work what work do you want to do well I'd like to be a service provider for the government I can do manage your servers I can run your network they're like okay I need that so let's sign you up you're our guy these guys have to get checked first though so what these people here are they're the ones that are needing to get checked before they can start working with the government and that process goes into what's called different stages of people that can help put you there so the first one we'll look at this is a registration

practitioner organization there's a company out here let's say any company company B and their whole purpose is to help you get prepared to meet the certification requirement that's what they do the persons that they have doing that are called registered practitioners they've been certified to now go in and say okay let's look at what you have uh do you have locks on your doors do you have lights out in the parking lot you have your server room locked that type of stuff so they're prepping you so when you get ready to do your final certification you should be good but the key is these guys can only prepare you they cannot certify you that's not their

role it's another group's role for that over here these are the guys that can help get you certified so the ca is the certified cmfc assessor it says it in in the words they are assessors they can go in from what this guy here over here did the practitioner helped get you prepared now these guys can come in and verify and validate that what he said on the paper was good they'll validate on the paper that you're good and if that goes through well then it moves more into the process now these folks right here C3PO third party assessment organizations these people here have to work for those guys because what again going back to

the government and DOD they said okay cyber AB who kind of heads up this whole ecosystem we need to have certain companies that go through our certification process that we trust and any people that they recommend that work for them we trust them too so that's why they trusted authority to go out and say okay now you're ready to get your final assessment so we get your prayer for certification those will be the guys to do it the other part of that is this person over here called a professional CCP so this is the early stages of getting here so when you first come in on this side the people who can do the assessments you'll get your CCP

certification and we'll talk in length about those but more or less everything here is going to be like a couple hours test just to let you know not to scare you it is what it is right yeah I'm being nice he just finished one of his so yeah terrible but if you pass it's good but you made it sounds like college right you kind of made it you seeed your way through yeah I know what I'm talking about okay so these folks here are what called the provisional assessors this does not exist yet that's why I said they're still building this program so the goal is to ultimately create all of these guys roll up in here it'll happen

sooner or later but it's not there yet these people right here are the licensed uh Partners Publishers so they create the material that's going to be used to get these guys certified so far so good okay going back over on this side this is the licensed training provider so these folks use their material to train these guys everybody following the dots Okay so so they're only authorized to be able to do that so a company has to pass the certification to even be a trainer for these certifications but there's they're coming they're not there fully yet but they're coming so now you have what's called a CCI which is an instructor that works for the

lpt the providers using the lpps material to teach the ccas anybody lost yet sound like apple Bell suit right yeah I mean a lot of acronyms for in end someone has to teach you someone has to get certified to go out and help everybody else that's all it says and then you got these guys here who haven't existed yet they're coming with these folks here so everyone now that's an instructor they're kind of like a temporary because they haven't created the official provisional instructor certification yet by this time next year it'll probably be out but the system can't wait and here's the reason why we can't wait federal government says hey you have to qualify

with this 8171 all the requirements in it before we even do business so if they're forcing you to qualify as company X then you got to have people like this to get that done so that's why they're in a temporary INR phase but in the end there still going to be structures they just have to take another test so this is the ecosystem this is all about this is where you're going to spend your money I know when I say money everybody huh money hate to tell you it's not like 20 bucks throw a few more zeros on the back in okay but it's business because think of it this way if it cost $20,000 hypothetically to get

certified but from that I can make 200 $120,000 was it worth it's business right and that's how you have to look at it oh and by the way same thing with certifications not that expensive but you're going have to pay to play this is the process for being an assessor everything kind of starts right in here as a CCP go through your certification process after you take your course then you get up here and your CCA and then from there you're able to kind of go out and says I'm your assessor now but keep in mind if you were to get certified as a professional before you do your CCA you still can go out and help a

company get prepared that's something you can so you can kind of do both but here's where the problem comes in if this guy here went out and prepped Company B it would have to be this this guy here to go out and assess him you can't prep an assess that's a foul R flag comes out right penalty so you have to have Partners in this thing so if you are a company or a person who is a CCP or is RP like we talked about earlier you can prep but hopefully you have a network of partners that you can reach out to that you trust they can now go in and assess and that's how this whole

ecosystem infrastructure is going to work because it's not a oneman band it's it's really a team effort and that's why it's important to make sure we all Network relating to it okay so this is the folks who've been put in charge to kind to handle things the CC I mean um Sor aab which us to be another name and these are the organizations here that everyone's authorized to go do those assessments like I was telling you earlier so cyber AB again they accredit the cmmc ecosystem and then from there their primary Mission AB is to authorize accredit the CMC third party which is C3 paos they've been given that Authority and that's what they do and then that conduct uh they conduct

the uh CMC assessment of companies in the dib remember I told you a big database the people are trusted are in that database and they managed the ecosystem for DOD so that's what all this kind of wraps up into so it's a program it's not just one thing it's a whole combination of many things and each one has their own important part so let's kind of fast forward so we went back to the far and the DARS and from that came the NY sp800 171 and notice the 171 says protected control unclassified information in non-federal systems and organizations that's what it's designed for you take care of my stuff if you're working for me as the government that's all over on

this side though the alpha is assessing security requirements for control so this is what's going to kind of break down the details of what type of lock I need to have on that door how do I set up my users for if they try to log in more three times do they get locked out Access Control type things that's more or less specified in here it's generalized here as you got to do this but this I'm sorry this shows you how to do it or what it should be like so when these people go out and do the preparation they're literally using a spreadsheet more less if you were to say that has all these various

controls and they just walk through okay show me how you do this where do you keep your policies on people who are leaving your organization yes

sir yes yes and I'll talk about that in a second but thank you yes so this is again just detailing things down so from here as you can see I kind of threw some numbers up here this has 110 specified this is breaking down the 320 that actually make up that number I know the math does not match and the reason why there's a lot of subsections under one control and that's where it all kind of gets mixed up at which is why the numbers are so much higher here because this is digging into those subsections everybody good okay so the 8171 version 2 which we're on now they're working on version three not out

yet and like I said the 172 so like it says here the framework consists of 800 171 re um should be version not rev I'm sorry yeah uh two protect and control classified uh non-federal system organizations and the subsets of 172 which is enhancing 172 is really going to speak to a higher level of security than the 171 is that's kind of where we're going so we at the is and then we have the 2B so they're going to be the same but more added on top that you have to secure so these are the various levels that kind of play into the role of what type of information your company can work with or

you and what you've gone through to meet that qualification so here level one is pretty much the basic Foundation there's 17 various practices to tie into it and and once you get certified here and there really is no documentation for certification so you can do what's called a self assessment meaning you take that spreadsheet has all the controls from 8171 and you walk through it yourself on the honor System wink wink and say I checked all the boxes they're not going to send somebody in to double check that they're going to trust you oh by the way if you decide to do business anywhere if you're telling them something just not true you'll never do business again so no big deal

you're good tell the truth so this ties into both 171 and the far now this level here you're working with the cui data control unclassified information this is really where it gets sticky because this is where you have to go through the actual preparation piece and then have a CA come in and certify you that you met all the requirements so this is really where you're honored was a certificate from c um cyber AB saying this company is good they checked the box and you can work with them until that all that takes place you really can't where we're going is three probably 05 worst case it'll be out three is going to be another level but

with more high priority risk controls tied to it so basically what they're doing they have a baseline if you were to say and more or less from the cui area that's here and there continue to stack on a few more controls just to make sure you're really in good shape to work with this everybody okay all right so these are some of the basic levels that go with the model structure the basic level covers the basic security requirements for protecting FCI Federal contract information uh information not intended for the public release based on 17 basic requirements that was like that level one we just talked about level two intermediate covers the intermediate security requirements for protecting cui

security objectives at that level is to protect cui from unauthorized disclosure so meaning if someone's not supposed to see it they shouldn't see it it even though it is public only authorized people in the public are able to see it does that make sense okay and then last you have the advanced which going to be level three and like it says here uh covers the enhanced security requirements for cui critical programs or high value assets so now we're kind of creeping into we're not into the secret realm yet but we kind a little bit below it but a little higher than just the regular cui that's why that's going to be more enhanced controls and notice here it

says it's based on 131 requirements from the 171 and 172 plus 32 additional this is where the problems come in for all the companies who want to do this because you may not have the money not to have it done to sustain it because let's say if they say all right let me see what your security stack looks like do you have a firewall IDs email Gateway any of that stuff kind of tied in together well let's just say if that was a requirement some of it actually kind of is if you don't have it how you going to get it you're going to have to spend the money to bring your infrastructure up to a standard to even

get assessed because what's going to happen is if you haven't even passed that level one where you can do a self assessment and then you want to go to level two where someone comes in and actually does an official preparation for you you can't even get the final assessment for certification that C3 Pao they're not even going to talk to you until you've gone through that process of getting evaluated properly because you're wasting their time which means you're not going to get certified which also means you have no business so this is going to be an investment and this is where a lot of people are kind of having problems they I like the idea I like the concepts but

there's going to be a cost and small business mom and pop shops even mediumsized businesses depending on how many people they have on payroll they really don't have the funds which is why they're not pushing this to be done like tomorrow they understand all those pieces and they're pushing it out they're being a little lenient because they understand people have to build up to get this piece in place to have all this stuff taken care of so it's still like I said processing it works but that's where we're going this kind of gives you a general idea of the level one we were talking about identifying who should and should have access shouldn't rather to FCI that's that

basic level Federal contract information limiting physical access to systems that cannot rather contain rather FCI via locks Keys cards so that's like a swipe card C uh cat card ensure that only properly authenticated users can access the system so it's kind of keep at the low level and again these 17 I would support that level two is where things change this is where I was telling you you have to go through the process and actually go through the certification process by AAA I'm sorry CCA and the C3 Pao who they work for to get the checkbox that you are good so as you can see you have these objectives that's where that 320 comes from and they all

feed into 110 controls and then there basically 14 families of controls and I'll show you those in a second these are the families so you get a general idea they're covering head to toe you have awareness and training what do you think that is train your people right fishing opsc as in don't put out information that's not needing to be out in the streets risk assessment what is the risk of someone hitting you with a Cyber attack that's part of it systems and communication protection that could be your servers that houses all your data how are you protecting that do you have it in a nice server room with a door that doesn't have a lock on

it a little tricky on that one right so as you can see see it's a whole category things which is why the subsections is what creat at 320 because they all have sub layers this is the overall process if you were to do it so the company osc they basically say okay we're ready to do it so you'll have someone come in and if you're doing it the self assessment way you don't have to worry about all of this you just take this more less a checklist from 171 and you complete it you put it out on PRS which we'll talk about next that's a big database that says we have done the task and then you

sign off on it and you're good that's just for the FCI level though not the cui control unclassified information if you want to go that route you have to go up here same thing but then you will have that company come in with a CCA and they'll walk you through this they say Okay um let's conduct a gap assessment identify what your scope is what you want to do Engage The professionals identify your level two maintain it and then you hit the identified schedule pass again this is passing the requirement for the assessment and then you get your shirt and then you take everybody out for dinner probably not maybe McDonald's and Sher Burger because you're broke but

it's okay good idea you thought about them it's all about the thought [Laughter] all right so these are the five steps if you want to try to get ready and get prepped for this thing one start preparing today and the reason why because it's coming whether you want it or not it's going to come and where you prepared go ahead I'm told first quarter next year yeah so March of 25 commun yeah so give or take here or there but 2025 is going to happen I guess it's the best way to put it so you want to again make sure things are good put together the required documentation as in your policies and all these other things that

your organization operates from uh do a gap analysis does anybody know what a gap analysis is what's the Gap analysis sir's missing between you have need correct exactly so you do your self assessment and being honest you see all the spots that are empty that you can't check because you don't have that is your Gap then you have to put a plan together how are we going to fill this Gap to meet the requirement so that's what they're talking about conduct that self assessment like we just talked about then consult with the cmmc professional or the C C3PO rather when you're ready to go live for your final search and they'll take care of you prepare your

audit because you're going to get audit and like it says here only the C3PO can is qualify for the audit itself the assessor will first speak with you to determine your needs cuz everyone's different size of the business things you operate on all different still going want documentation uh like it says evaluate controls for protecting FCI or CI whichever you feel you need and then of course documents would be like diagrams Network diagrams for example how is your data flow does it start here and go out well how does it get out is there a way someone can break that security chain of information going out that's going to be looked at vulnerabilities what's the vulnerability

scan yeah you're checking your system see where I have my holes at every system has holes don't ever think it doesn't every even your your house your system at home Microsoft updates that too right so that's what you have to show and then list your various controls that you're operating off of lastly submit your assessment and this is where it's going to come in to working with that um C3 Pao you do your security plan basically your security plan talks about each and every one of those controls and how you're going to perform them but also how do you monitor that after you checked the Box on it you have it done again it ties to that 14 families

of those colored controls that we looked at if it's something you don't have from that Gap analysis like we talked about you put it on what's called a plan of action and Milestones poam and all that says is hey look I know I don't have that router it's a risk I'm accepting a risk temporarily but I can't have it fixed within the next 180 days okay because you at least identified still don't mean you got it but you know you need it and that's where it starts then again like it says CMC requires ongoing monitoring and evidence so once they do the checklist everything's good they still want to know what is your plan to maintain this because oh by the

way this has to be done every three years and if you're FCI it's every year that's where the sustainment comes to play because if you can maintain it it's much easier to get reevaluated but you have to maintain it this is a database that you put all that information in the 110 controls that you do for your assessment it goes into here supplier performance risk systems you upload all that information in here and this is where the government is able to access this and actually look at your score so 110 is kind of the ultimate score everyone's trying to get to anywhere from a minus 205 to the max of 110 everyone starts below the water you got

to get to to the water at least you get a shot if you get to the water so again this a little bit more about it again like says breakdowns and this is what I was talking about earlier the 203 negative - 203 to 110 so the more you go through those 110 controls for example I'm sorry 14 families each one has a number each control has a number so if you have locks lock as a requirement it may be four points so you start at - 205 and you're kind of working your way up the chain so then you add four positive points to that negative number and that's how you get to the waterline El me above

it it's nothing written right now but as it's being told when this goes live if you're not and don't quote me it's kind of where I'm getting information on if you're not at least around 80 you're not going to get a business contract 88 I was being kind yeah because what they're saying is your security infrastructure is not there yet so that's kind of like the bare minimum 110 would be the max some will get there some may not but they're not going to hold you that you don't but at least you have a window so the goal is for everyone at least getting to that cut off point of 88 and that may take a year two years

just depends on your organization what you do your resources yes

sir so no they're they're they're expecting you to maintain that but that sprs this area right here when it comes time to reassess you they're going to go here and look at your previous SSP your security plan check it out and then when they look at your current one and see okay well what happened you were good oh you lost some people I understand but you still fail I don't make the rules right but this is how it's going to work so that's why the goal is again get to that score now which is why you need to start now so you won't have to get to the last minute and you think you have business

and you have no business some general information on facts what do I need to what do I need to do rather to be compliant we talked about that already already how much does it cost that could vary again size of organization what your organization uh operation is who you're supporting so there's no set number but it's it's going to be a little change what are the steps to become compliant engage with the dod establish procurement account obtain and active status so that's that cprs you'll have to have that set up as well conduct your assessment understand the scope of the assessment develop a plan as in my Gap analysis what don't I have and how am I

going to attack that to get myself up to speed submit your assessment scope demonstrate for readiness get to see3 Pao says hey you're green you're good it's kind of like anybody watch maing race on a masing race you get to that point they give you the card you're like Ah that's these guys and again pass fail certificate so what are the common I mean I'm sorry the compliance deadlines this is what they're saying right now maybe I don't know they're looking at the overall architecture of everything across the board globally and can people get there by that time so it may

slip more or less but two right now will get you by if you get to level two that still suffices for you met our minimum basic requirements and that's really all you want from a contractual standpoint to do business right and then you can build from there so these are the resources here that's information on me any other questions yes sir he sir so when you're dealing with like infrastructure service software service3 y

Val but do you pass those security checkpoints off as your own because have service that's Microsoft so you have a a service provider providing a service for you so great question there's two answers to that question one and we'll use Microsoft Azure for example Azure is there Cloud Microsoft has to get certified with Azure to meet the requirement you also as a company working with Microsoft need to make sure you're covered because here's what the problem is let's say something happens in the cloud they're not going after Microsoft they're going after you because you hired them they didn't tell you to go get those guys you got AWS Google whomever that was your choice it's like a bank you put your money in a

bank bank goes bankrupt you're going after the bank not the people who stole the money right same concept so that's also part of the big picture right now of the conversation because people are curious about huh am I still responsible kind of sort of the way you get around that though before you even do business with company A and B you look at their policies and if they don't have them then you find out well when you gonna get them and oh by the way once you do get them how can I get access to my own logs for example so I can as we call in our business trust but verify right so I

kind of trust you but I don't not really so it's on you to build that up and doing a service level agreement sometime SLA that's kind of how you kick that in take that a little bit from an assessor perspective um you know when you're doing a famp certified

provid so what are you do provider doing

yeah it's already online Microsoft's they're

covered point it no longer becomes your responsibility but they know to that's covered by right right but they may say hey um can you show me a documentation to where you're communicating with them do they allow you to see your logs from your servers so there's not going to be just oh okay no problem they're good uhuh they're gonna dig into that all right yes sir I'll get you next one risk you exam all thatal

Mt

correct correct great Point yes sir the difference between

right so the dicat is a different house and they look at some different things so they're not expecting Mom and Pop shop that kind of does some Hardware support for big government to have to meet that criteria which is why they use this which is a little more scaled down that's the difference between the two y so to become a C3 Pao you need a yeah that's govern and that's what qualifies them to certify you yeah yes sir have aut tools my system yes there's a few out there um get back with me I'll give you the names I can't think I was talking about head but there's two in particular yeah yeah but there there's software yes

that you can work with to help you alignment the framewor no you're still going to have to put some information in yourself but it's aligned with it so what these companies have done they're smart they develop the controls in an automated fashion just like in the government realm we use a tool called EAS and eass basically is just everything I just talked about but it's from 853 which is a whole lot more controls but it's all automated so you go in there you go in the system and it pulls up control 31 and it tells you what it's supposed to be and you put in information how you meet it and your justification that's the exact same

thing that these companies are starting to build for this just different set of controls there's lots of them out there yeah yeah any other questions all right folks I want Go pass yes

sir kind of sort of but they're trying to make it a little more robust yeah y all right guys thanks so much appreciate you coming out [Music]

[Music]