[00:00:00] Max: Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance brought to you by ignyteplatform.com. If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or, if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA Stigs, SAAB SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMs, we’ll break it down all one by one. And now, here’s the show.
[00:00:43] Max: Jack, thank you so much for joining us on Reckless Compliance. My name is Max Aulakh. Today, we’re going to be talking about unlocking the value of CMMC, or actually any Federal Certification, but we’re really focusing on CMMC, different levels, and whatnot. Jack works for Swimlane. He’s the head of GRC. Jack, why don’t you tell us a little bit about yourself, and then let’s get right into the topic.
[00:01:07] Jack: Yeah, thanks for having me on, Max. This is going to be a fun one. I love talking a little, CMMC. I’m the head of GRC at Swimlane. Short story on Swimlane, we’re a security automation company.
They’re saying SOAR is dead in the marketplace. SOAR is just an acronym for Security Automation, and it is certainly not dead, it’s kind of on the cusp of becoming a lot bigger than what it is right now. So I get an interesting role here. Leading, you know, our compliance efforts and stuff and building our controls while also being in the product too.
So really focusing on automating a lot of controls and, because we are what we do, it’s still an agile startup, but our customers are large companies that have really mature SOCs. You know, we’re always looking to be ahead of the curve on, I guess, our compliance efforts because that’s what our customers are demanding of us.
[00:02:03] Max: And you got federal customers as well. Obviously, that’s why you got to get into this. And Jack, before I forget, you also run GRC Destroyer. You got a blog.
[00:02:13] Jack: Got a little side hustle. GRC Destroyer is just a blog that I write on sub stack. And it’s a little bit of an outlet to, you know, poke some fun and some critique at compliance in general,
[00:02:25] Max: a little bit of venting,
[00:02:26] Jack: a lot of smack about third party risk. But it’s a fun one. I only write when something like really triggers me or it’s fun to write about, but yeah, check it out.
[00:02:36] Max: I definitely will. And I have a feeling CMMC is going to trigger you quite a bit.
[00:02:43] Jack: Ever since you asked me to do this and I’ve been it’s been on sort of the quarterly goals to look into CMMC level one, I’ve got several ideas of where I can take some good content around it, but I’m like, I don’t even know how many people are in my shoes. Like, I don’t, I don’t know what the audience of my journey with this.
[00:03:01] Max: Well, let’s talk about it. What are your shoes? What are you guys doing? Or what are you doing for CMMC1? And I guess start with like, why do you think that’s even important from your perspective?
[00:03:11] Jack: As you mentioned, we have federal customers. And we always have, that’s sort of almost how Swimline got started with in the federal space. And so we’ve had long lasting relationships with those customers, but we’re getting into a new era of the company. So we have on-prem, but we’re moving a lot towards the cloud. And so It was only a couple of years ago where we really ramped up our compliance, like certification, sort of our efforts around it and FedRAMP has always been in the discussion, but the runway with the cost and honestly, just the time and resources that goes into it. We haven’t been able to pull the trigger basically from a business standpoint. So while FedRAMP like, and it’d be like FedRAMP moderate, while that’s sort of on the back burner, we don’t want to just stop and be like SOC 2 ISO is enough.
We recently had to attest to like the secure software development framework as part of these customers and at the lowest level and just like with CMMC, it’s a self-attestation. So. As I guess, how did GRC it’s when I get past the SOC two and the ISO, the external audits, it’s like, well, what do you do from like a internal audit and like sort of a risk perspective for the rest of the year?
And it’s developed the controls to these I guess these standards that we ultimately want to get to. We’re thinking into the future, but establishing a baseline right now. Long story short, CMMC level one, just in the circle of talking to partners about it, it’s a self-attestation they’re like, okay, if it’s a self-attestation, we probably have money for that because you don’t need to hire.
I think it’s really to just get just greater visibility and awareness of our controls as it applies to, If we were to get CMMC level two, where’s our baseline? And right now, I think because CMMC level one is all about FCI data. So that’s sort of where we are from a risk perspective,
[00:05:20] Max: That’s federal contract information, right?
[00:05:22] Jack: Federal contract information, as opposed to there’s not a ton or any all CUI that’s flowing through a security automation tool.
[00:05:33] Max: Cause it’s on prem, right? You guys are on prem. So.
[00:05:36] Jack: And yeah, and so like, again, it’s confusing whether CMMC level one applies to us, and I think when you work with the government or federal customers. They’re going to tell you what they expect or what they need of you, but it’s strategic to get ahead of a rule like CMMC because it’s still kind of being thought about and we just want to get ahead of it, I guess.
[00:06:01] Max: That makes sense. I think a lot of companies are in that state of confusion, like you mentioned, because, you know, there’s, at first it was CMMC 1.0 with five levels, now it’s 2. 0 with three levels. Right. What’s that been like for you, Jack, because you come from commercial SOC 2, ISO, and that’s pretty well understood. And now all of a sudden, like I said, you’re going to be like super triggered with this public sector stuff. So what’s that journey, even though you’re starting, what’s it been like for you? What are some of the things you’re already noticing, you know, that are different or could be done better? Like, what are some of the things that you’re getting confused about?
[00:06:36] Jack: Yeah, I mean, there, there’s a lot, it’s a bit like being in the DaVinci code with where I guess the DOD CIO office is with CMMC right now. And then it’s also confusing where we’re at with just the updates to the underlying framework.
Because it’s all based on like NIST 800 171. If you look at any of the public facing resources about how do you even do a CMMC, like if you just start at ground zero, a lot of that stuff was written in 2021, and it’s referencing this NIST framework that has now been superseded by 800 171 revision three that came out in May. So like just fundamentally right there. You’re like, okay, I’m looking at the, basically the only thing, there’s two things that tell me how to do this. And one’s off the official DOD CIO site. And that hasn’t been updated since 2021. And there’s a big banner that says this site’s not going to be updated until we figure out the rule.
So you got that. And I’m like, all right, well. So that that’s one resource. And then there’s like another federal register thing, kind of guide that was updated in 2023, like late, like December, 2023, that gives a lot more guidance on like how you go about getting CMMC especially even level one, like what’s the deliverable.
And so it’s been kind of a wild goose chase trying to locate the information. And luckily there’s. You know, just people I know in the space that have given me a little bit of their knowledge. Cause you kind of have to have that be your full time job. If you want to really keep up what’s going on.
[00:08:20] Max: Yeah. That’s actually a good point because unlike other schemes, the government is always running like a day late, a dollar short. And to go further with that, Jack, like what you’re seeing out there might be totally different. Actually within contracts, we have seen where the contracts are referring to level one or revision one, which is very old and the AB has their own vernacular.
And then you have the NIST with updates and revision three with its own set of vernaculars. And yeah, you’re a hundred percent right. Like somebody has to like, just live in that and track nuances.
[00:08:55] Jack: Yeah. And it’s crazy if you look at the two frameworks, like the original one, I don’t even know. If I, there was a revision two, but I basically was looking at, you know, the first 800 171 it’s got more controls in it than the new revision, but the new revision sneakily has so many more requirements.
It’s like less controls, but the requirements that lie within the control set. It’s like a lot more stuff, a level one self-attestation, you know, I’m just trying to get the most relevant info I can and not spin our wheels too much until the time comes where we know exactly what’s required. And with the whole SSDF stuff, that was very well defined what they were asking us for a self-attestation around our secure development practices.
And it was very like lined up. Because they need that at the time. So no one’s knocking on our door yet for CMMC level one. This is basically an exercise to get prepared. Luckily, like, you know, I use anecdotes. I don’t know if you’re familiar with that company. That’s what I use for like our compliance management.
And it’s got every framework under the sun with pretty good mapping. Right. So it maps on like a requirement basis, not like a control. Basis though, it gets into weird frameworks. Like once you get out of SOC two world and get into NIST world, the frameworks don’t make as much sense to map, but the underlying requirements of like, well, what are we talking about?
And like the first control and CMMC level one, it’s like an access control. So the requirements, the building blocks of those controls are going to be something that I’ve already collected evidence for. I can kind of plug and play. Okay. For the most part, I mean, it’s certainly not one-to-one, but, happy to have sort of a compliance management tool to get a lay of the land and just sort of see what our baseline is.
[00:10:54] Max: Yeah. Those can be helpful, you know, in terms of compliance management tools and whatnot, but definitely getting ahead of the problem. Cause I think a lot of small businesses that we talked to Jack and not just small, also large too, I think the most pragmatic approach is, until you’re sure, start with at least the basic submission of, what do they call that, the Supplier Risk Score, the self-attestation, so that you can at least let the government know, hey, we’re open for business, or we’ve got a score in there, in the system.
So that’s a lot of the advice that we give away, and also we learn from others, where, You don’t necessarily want to be spending all this money when the actual requirement is not even set because it could change the way you operate your company at some point.
[00:11:39] Jack: Right. So basically what I know, you’re more of an expert on this than me, so please share knowledge, but basically what I know, For CMMC level one, you’re doing a self assessment against the 17 controls from 800 171.
It’s still unknown to me if that’s going to need to be revised immediately to revision three, or if we’re just talking about the OG 800 171. It’s a self assessment and the DOD CIO gives you. That I have a guide of like what they want to see in a self assessment and then an affirmation from basically our CEO by management.
And so that’s what I’m expecting to be putting into the SPRS system. Haven’t even got a login yet. That’s another part of this battle. Cause not only is the information a little hard to grasp. Just the mechanism of getting into this system. And I’m like, maybe I’ll find the answer. Once I get into the promised land of that, like maybe just a quick note of like, logistically, how you get just to submit this stuff, Luckily, we were already in, it’s a system called sam.gov. You can tell me what that stands for. I’m forgetting right now.
[00:12:58] Max: System for award management. I think.
[00:12:59] Jack: Right. Yeah. So we were already in that just cause like, I would say with our customers. And so that gives you basically like this cage code. You go into their procurement environment system. It’s called like the PIEE.
So you already have to be registered for Sam. Luckily that step was covered, but I wasn’t the one who registered it. So I got like a contact from the company that I’m interfacing through being like, all right, yo, I need you to log into this new government system. And we’re going to go from there. And once you get that account, you’re basically eligible to then request access and roles to the SPRS.
So that’s our ultimate, that’s our promised land. Yeah. Get into there. It’s taken a few weeks.
[00:13:42] Max: So right now you’re stuck in what, what I call the purgatory. You’ve accepted the DOD faith. That’s your SAM. Your PID is the purgatory. And eventually you’ll, you’ll get to submit your, your score.
[00:13:56] Jack: Yeah. Like the guy who I’m talking about at the company was like, I just got an error. I think I accidentally put in the wrong email and I’m just like, I’m sorry, I’m ruining your life here. Cause you don’t even know what I’m trying to do, but let me know how I can help. So yeah, you need to like get on a call with their help desk, but it’s been a couple of weeks going back and forth. And I’m just hoping if I get this role, get into the SPRS, there might be a portal that just says, this is what we need on the back end.
Kind of created system security plan for these like 17 controls, which is not even really what you need, but I’m just kind of, I’m just going to play. I’m just like playing it by ear. I’m like, once I get into that portal, hopefully there’ll be directions. I’m like, this is exactly what you need to submit to us.
And then, like I said, with the compliance management tool, I’ve got a lay of the land on like how I want to describe how we do the control and what we looked at, because that’s. A lot of that work’s already been done. I would say the biggest, I guess, lift after that is just formatting it and figuring out if there’s like a legit format or if that format needs to be updated since the 2021 document that I’m looking on online, like, so there’s quite a few question marks still, I would say.
[00:15:18] Max: Yeah, Jack, I think the journey you’re describing, right? Honestly, a lot of businesses are going through this and also a lot of cybersecurity professionals like yourself and others who have never dealt with the U.S. government. Like, they’ve never dealt it. They’re like, all right, what is this SAM thing?
What is this PIEE thing? All right. I made a whole bunch of calls to the Navy and whoever, and then you finally get somewhere. And then it’s like, I’m not going to ruin it for you, but I’ll just say that it is not like the Holy land that you’re thinking of. [00:15:53]
Jack: to you then don’t kill my fire. I’m going to let you discover that…
[00:15:59] Max: you’re going to swim there. You’re going to swim through it super fast, man. So it’s awesome. So. When you went internally to do this from the leadership management perspective, did they want to go ahead and go beyond where you’re at or like level two? Or is this something, Jack, you actually recommended?
Said, okay, let’s start with this. And then we can advance, because earlier you talked about, you know, FedRAMP and all these other advanced things that you might need to do. Talk to me from a leadership perspective, how they kind of felt about it, and you know, what are they thinking, how are they unlocking value if they’re doing this self-attestation.
[00:16:34] Jack: Yeah, no, it’s, that’s a great question. And interestingly enough that the combo did happen. Like why would even do level one? Because people talk in circles, right? Like that are closer to the government and are basically in hearsay, like information from somebody who might be more credible than the next, and just talking to a handful of people about this.
That are all, you know, close to the space, but in different, I guess, positions in the space of like fed ramp regulation, CMMC, you know, RC. So it was like, we need to get level three, if we want this to have any business value and level three is an insane lift, like level three.
[00:17:17] Max: That is an insane lift.
[00:17:18] Jack: Like level three is like, why are you saying that? Like, shouldn’t we just get FedRAMP? And then it gets legit. So confusing when you’re talking about the business use case compared to the lift and like position like ours, you really have to have that defined business use case. And I think, I guess the information about how you even arrive at whether it’s worth it is a little bit.
More defined on the FedRAMP side. There’s more people trying to sell that, say, this is what you’ll unlock. But with us being with, I guess, the government for so long and just knowing like they’re kind of sitting in this on prem world, our strategy as a company has been, you know, Let’s get the fortune 500. Let’s get MSSP is nothing major is stopping us from being successful yet. Eventually there’ll be that time, and that place where we need to tap on that market and get a lot of these federal customers into the future of our product, that’s probably going to be when, when FedRAMP comes in. But like, as far as going to CMMC level two and getting an audit done, I basically recommended against it.
I didn’t even have to like they leadership and, you know, my boss, our CISO, Mike Leiborg kind of already knew that’s not going to be the, it’s not the right time to pursue. So we’re not trying to spend money for no reason.
[00:18:44] Max: Yeah.
[00:18:45] Jack: And that’s why always self-attestation, like, I guess if you can justify the lift on my time, which I try to be resourceful, I’m certainly not spiraling into a rabbit hole every day about this. It’s kind of like, let’s just go on to the next step and see what happens with the self attestation. It’s a little bit easier, but where does that path lead you? Was it even worth it to do, to even think about it? You know, how much I know about CMMC level one now, does it even matter without that? Like third party attestation, right?
For the PAO certification, you don’t really unlock a lot of, I think business value. But like you mentioned, it’s kind of just saying, Hey, we’re here. We’re in the system. I don’t know what that means for us, but we’re here.
[00:19:32] Max: Yeah, what I’ve seen is it’s just a contractual requirement to be registered and get your score out there. There’s no bearing as of right now if it’s good or bad, a low score or high score, but I think for businesses that have small amount of revenue that they’re sourcing from the government, it’s good. Because, like you said, there’s a lot of companies we talk to that are doing great, 80 90 percent of their revenue is sourced from commercial operations.
But you don’t want to necessarily lose 10 to 20 percent just because of a registration issue. But I think it’s a very pragmatic approach that you’re taking. It’s good. It’s good.
[00:20:10] Jack: There’s also, I kind of touched on this, but there’s another benefit in one, me knowing about this, but also getting swim lane through it and in our product is because then we can pass that expertise along to our professional services and ultimately our customers, our customers are bigger and they might have these requirements and they might be looking for.
While we’re a security automation tool, a lot of audit evidence comes from Swimlane and use a lot of audit evidence from Swimlane in our SOC 2 and our ISO. But our customers that have, might have different requirements, especially like 853 and wanting to figure out, you know, we’ve been experimenting with OSCAL and getting that whole framework into our tool.
And trying to map some stuff like use cases that we do in Swimlane, basically to that framework. And so like, I think just getting really nerdy about at all things compliance is a business enabler for Swimlane just because of our customer base.
[00:21:18] Max: Yeah, I don’t want to pick on the OSCAL topic because that’s another big can of worms in terms of how the government is doing the data standard and all that, but I do know in the future that CMMC will have an OSCAL format too, which will get pretty interesting. I don’t know when that timeline is, but the government eventually will expect that. You know, like filing your taxes, everything has to be standardized and structured in a certain way. And so I would imagine sometimes in the near future. So that’s cool. I think it’s very relevant and valuable to get that back into the core. The customers that you serve, I mean, ultimately that’s why we’re doing security is to help, you know, a lot of our customers and whatnot.
[00:21:58] Jack: Yeah. And the thing with OSCAL is like, It’s not simple. I get there basically, it’s a programmatic way to put a lot of paperwork and controls in maybe an easier approach, but you need to really know what you’re doing.
And basically it’s going to fall into like the couple early adopters who like make a product. on it that it’s just a, you know, maybe it’s a SAS tool that’s doing all that behind the scenes work for you because it’s very confusing. Like
[00:22:30] Max: it is,
[00:22:31] Jack: it took weeks to even ingest the JSON for OSCAL like, and then there’s all these like variables in it. So we didn’t do it because we were trying to make like a system security plan by any means. We were just kind of playing around with it. But if you were to like Take all of the, I guess, like elements in that code that they’re expecting you to customize yourself. It just gets. Parameters.
[00:22:53] Max: Yeah. The parameters, like a thousand parameters.
It [00:22:56] Jack: gets into a crazy world. Like, you’ve got to be sort of an expert to understand how to use that in a useful way.
[00:23:03] Max: Yeah. It’s something we play with a lot, Jack, quite a bit, you know, as a, as a three PAO, we have to get into all the nitty gritty and craziness and nI think eventually the government is going to require you to do that for CMMC. So the big difference between Rev 2 and Revision 3 is they’re starting to insert these crazy parameters. We call them ODPs, Organizational Defined Parameters. Where it’s like, pick the kind of encryption you want. Here’s your five choices. Instead of just saying, well, we use encryption. So, I think it’s par for the course, it’s just how DoD does things, overly complex.
And eventually, it’ll get to the point where they want you to define all these things. Can the small businesses handle it? I don’t know. I don’t think so. Personally, my view is, because if we as cyber security professionals are having a hard time in understanding all of this, Well trained within commercial environment, financial services, healthcare, all of that, have protected real networks, all of a sudden you got to deal with this complex XML and JSON.
That doesn’t really, you know, help. So, businesses who don’t have these professionals, I don’t know what they’re going to do. Like, they’re going to be even, they’re going to be lost even more than some people who are cyber security professionals.
[00:24:18] Jack: Yeah, it’s Yeah, it’s overly confusing.
[00:24:22] Max: It is, it is.
[00:24:24] Jack: I love that people are like transparent about it. Like I listened to just basically people in the space on LinkedIn, poking fun, also holes and like, this is so confusing. It makes me not feel like I’m just absolutely insane because you go down these rabbit holes and you’re like, I simply don’t understand like all of those nuanced things that I said about the dates and What am I looking at?
What is the real requirement? And then being like, do I need to read like a hundred pages into something to understand what’s going on? Or is that just a waste of time?
[00:25:00] Max: Yeah. GRC field, I feel like it’s turning into more of a less management and more. Like technical operations, engineering field. You know, it would be nice in my opinion, if they separated out the management expectations from the technical engineering expectations. So you could have different teams instead of just like putting awareness and training right next to like access control. Operationally, those are entirely two different sides of the organization. One might be my HR org. The other is, okay, I need actual technology, IT, cyber engineering.
[00:25:35] Jack: And GRC you’re, sometimes I think what player of like a football team, GRC would be, sometimes I just feel like for the security org, it’s like the quarterback, because you are going an inch deep into all of these domains and then you get into FedRAMP.
It’s like. Who am I talking to about FIPS encryption right now? Because I’m not developing the product and to expect people to just know about that, even in engineering, like what requirements are, it’s that’s impossible. So like you really have this job where you’re telling people what needs to be in our product and trying to do a gap assessment and trying to figure out the lift of putting FIPS encryption is a really great example, because if you have technical debt or the software doesn’t, it’s like really hard to put that in after the fact, and who am I to say, like, We can do that easily or we can’t do that easily. I just know this is what the requirement’s saying. What, what can we do about it?
[00:26:33] Max: Actually, that’s a really good example. I had another podcast with a CISO. His name is Matt King. He’s from Belcan and he actually pushed back the government in terms of the FIPS requirement. We talked about FIPS requirement.
Cause everybody hates that requirement. It’s unreasonable sometimes, especially if you can mitigate it, if you’re mitigating the concern and things like that. But you’re absolutely right. Some of this will require a language trainer of its own. Interpret, teach, coach. If you look at that sort of pattern, interpret, teach, coach, you’re really not even getting close to cyber engineering because all that resources are being spent on just taking abstracted language and making it actionable.
Which I think is one of the areas where businesses sometimes have unlocked value because they’re like, Oh, we didn’t know this because we weren’t doing any security. So I’ve seen some upside of that because it allows for that sort of conversation. If they haven’t done anything, it’s good. But if, if they’re like your team and other teams where, yeah, we, we do cyber, we’re a cyber company, it can be an overkill.
[00:27:38] Jack: So here’s what I would like to see, I guess, the GRC team breakdown be at a company. And it feels this way at Swimlane because it’s a smaller team and I work right alongside with the security team. And so as our CISO being the lead of this team, the controls from like a GRC perspective. Are baked into everyone’s role, but it’s really several different flavors.
Like you’re saying, I really wish it was more defined from here are technical controls and you’ve got a certain upbringing and your expertise and your career to be able to operationalize the technology to meet controls. And all you need to do is like, know what those requirements are. You don’t need to have five years of experience doing SOC two audits.
You don’t need to know how to necessarily like audit something to ISO standards. You just know how to implement these controls. And that’s largely what somebody coming from like an IT help desk and then growing in their career to be like IT enterprise manager, right? They’re in control of so many controls, like so many.
And then on the other end, you’ve got your like security ops people, like the people in the sock that have a duty. And like, they’re also operationalizing a large majority of these controls. And like, when you think about vulnerability management and detection engineering, threat intelligence, it’s like, these people are a different breed than somebody who knows a lot about a compliance framework.
That’s why I think everyone on that sort of security org should almost be trained. In their respective, like disciplines on the compliance control. So like, it’s not just one person quarterbacking it once a year. It’s like, Oh, give me like a screenshot of this encryption. It’s like sort of like known as part of your job responsibility.
Like these are the core security controls that you need to be very knowledgeable about. On a small team when everyone’s discussing, like, and our CSO is kind of bringing that whole team together. It’s a lot easier for the whole team to be risk aware and kind of know about security controls. Where if I think the organization’s a little more siloed, it’s like, they’re just really focusing on detection engineering, but don’t necessarily know how that falls into the lens of like CMMC or like any other audit.
[00:30:09] Max: Yeah. That’s actually what I expect how teams should run because they support each other, GRC supports engineering and vice versa, but your comment reminded me of what we expect from the general population of a company. Security is everybody’s job, right? GRC engineering is everybody’s job within their respective disciplines.
But yeah, unfortunately, I haven’t seen that. I have seen, and we’ve seen this, where you’ve got SecOps team, and then you’ve got the GRC team, and they do not talk to each other, right? But they should. They really, really should. And, you know, I’ve always been taught that they should. But yeah, I think that’s the best way to knock out CMMC, whatever level it is.
Because the big difference between CMMC and other types of audits is they will want to dig in. That’s why they put those funky parameters. And if you, if you don’t have that type of tight knit team like you’re describing, it’s a paperwork exercise. No security person that I know really loves their job.
If they know they’re doing a paperwork exercise, just trains the soul. Like there’s no impact to what you’re doing.
[00:31:16] Jack: Yeah. And just going through what that CMMC level one self assessment contains, it’s very prescriptive and like, do you have this exact requirement? How so? It’s very prescriptive. I like SOC 2, you just make up the controls.
[00:31:33] Max: I’m gonna caption that, SOC 2, you just make up the control.
Jack:Within reason.
Max:Yeah, within their principled reasons. But cool, Jack. Well, I really appreciate you coming on, and This was meant to be a short podcast, so I appreciate you kind of sharing your journey in terms of unlocking the value with the CMMC Level 1, but any other parting words of wisdom for our guest when it comes to leveraging CMMC to kind of help the business move strategically through, you know, getting through the federal compliance and whatnot?
[00:32:04] Jack: Yeah, CMMC Level 1. No, I’m just kidding. Yeah. I would say that it’s probably worth it to read up before you put it on quarterly goals and figure out what I guess the business objective is. prior to getting into any level of CMMC. I think so planning and scoping is one of the key parts. Don’t just go in without a strategy.
[00:32:33] Max: That makes sense. That is a topic for another time. Authorization boundary or the scope of your assessment. But Jack, thank you so much for coming on. I really appreciate it.
[00:32:43] Jack: Thanks for having me Max. I’ll let you know how my CMMC level one journey comes to fruition.
[00:32:48] Max: Nice. Awesome.
[00:32:51] Max: Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com/reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.
