Long Description:
In this episode, Max is joined by Matt King, Chief Security and Data Officer at Belcan. Matt shares his story of transitioning from Anthem to Belcan, where he has been instrumental in building a security program to meet the stringent requirements of federal compliance. The conversation dives into the DIBCAC assessment process, the challenges of implementing NIST 800-171 controls, the importance of limiting scope, and strategies for pushing back on government requirements when appropriate.
Discussion Topics:
Max Aulakh Bio:
Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.
Connect with Max:
Connect with Matt:
00:00:00] Max: Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance, brought to you by ignyteplatform.com If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA, STIGS, SAAB, SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMS, we’ll break it down all one by one .And now, here’s the show.
Thank you everyone for tuning in today. My name is Max Aulakh, the host of Reckless Compliance. Today we’re doing a little bit of a different setup. I’ve got Matt King here with me. He’s the CISO in Belcan, we’ll hear from him. But today’s agenda is we want to learn what does it take to get through an assessment ran by DIBCAC, which is one of the government program offices.
I’ve known Matt for quite some time, we’ve talked on and off before, but without further ado, Matt, give us a little bit about yourself, what you do, and tell us about Belcan.
[00:01:18] Matt: Sure, absolutely. So my name is Matt King, I’m the Chief Security and Data Officer at Belcan. I’ve been there for seven and a half years, starting early in 2017.
Prior to that, I was with Anthem, and I was with them for almost 20 years, my entire IT career before that, including internships with them, which is how I got started in IT. In fact, I actually was studying aerospace engineering before I got that internship with Anthem doing IT work, and I loved it so much that I switched.
The irony is, I work for an aerospace engineering company now, not doing aerospace engineering, so it’s kind of a fun story that I like to tell. So Belcan has been around since 1958. Belcan is an engineering services firm. We do engineering work all over the world. We do defense, industrial space, automotive and aerospace.
[00:02:02] Max: So very, very close to the government.
[00:02:04] Matt: Very close to the government. A lot of the work that we do, the majority of the work that we do is flow down work for the government. So it was very imperative for us to really be prepared to be able to store process transfer CUI. So when I joined the organization in early 2017, you know, I analyzed the organization, quickly developed a strategy, realized that, oh, we’re at primes, but because of the flow down contracts, I quickly realized that the 7012 was going to be a requirement for us by the end of the year.
[00:02:34] Max: So Matt, you were saying when you joined, you guys didn’t have any prime contracts.
Matt: We did not, no.
Max: Okay. Okay.
[00:02:39] Matt: And through acquisition, we grew and we do have prime contracts now. So we’ve got a specific government division business that does have prime contracts
[00:02:48] Max: yes. Okay. So you were saying when you joined at 2017. There wasn’t really a strategy in place. You kind of put that in place. Fast forward, right? How did it happen? You know, what did the government say? How did, why did they even reach out to you guys? How did they make that selection?
[00:03:03] Matt: Well, they didn’t really. No, it was, it was me just paying focus and attention with everything that was going on, right? Of what was happening in the industry and evolution of that DFARS regulation into CMMC when it was initially announced. So, when I joined the organization, I was brought in to build out the security program. There was one person in security at that time. And we’re now up to, I think, almost 24 people.
Max: Wow. One to 24 people.
Matt: Yeah. So, it’s grown quite significantly. Of course, that’s, that’s worldwide. I’ve got four people internationally. So, majority of the folks are here in the U. S., however.
[00:03:36] Max: Nice.
[00:03:37] Matt: So. My strategy at that point was to implement those 800-171 controls, at least tactically knowing that that regulation was going to be a flow down.
That regulation is the basis behind the CMMC regulation, the Cyber Maturity Model Certification. So when that, that was rolled out, when that was announced in, I think it was 28, late 2018, 2019, early 2019. And understanding the nuances, I learned about all the nuances of CMMC, it quickly became an approach to, okay, when are we going to have to be truly complying with this, with all the detailed requirements?
And it is all about the detail, right? About how you do things and ensuring that you match those things that you have documented appropriately. And of course, that beat that kept getting pushed and pushed and pushed, as you know, and then CMMC 2. 0 became a thing because of the. Everybody was pushing back on the one that it was being too difficult, too challenging, and especially for small to medium businesses.
So it really just became a matter of me just watching and knowing when we would need to get ready. And once Cyber AB came out with all the C3PAOs that we would have to leverage as things started to evolve, to me, it became, okay, let’s ensure that we’re going to be ready for this thing. So we did a pre-assessment with a third party.
And within six months, we’d already had scheduled our true assessment, which is our, our joint surveillance voluntary assessment with DBCAC. So the way that you go about doing that and for those unfamiliar, If you guys go out to cyberab. org, you can look up all the C3PAO providers and essentially you work with a C3PAO provider and you develop and you schedule something with them.
And of course there’s costs associated with that, but you can’t get certified without one. So we did it in a two phased approach. We first leveraged one for pre assessment. And then we leveraged a different one for our actual assessment.
[00:05:26] Max: So Matt, let me, let me ask you this. I think there’s entities out there that have worked with for FedRAMP, which is an older government protocol.
This is new, even though it’s been around for 10 years. When you’re volunteering your organization to have some sort of a view into your organization from the government. How did your leadership react? How did you manage that communication strategy with your CIO or COO?
How did that conversation happen? Because I can imagine. Other people looking at this, like, this is what I’m going to do. But then all of a sudden they got to communicate that up channel it. And sometimes that goes well, sometimes that doesn’t, you’re actually on the other side of it. Help us understand, how did that impact from a leadership standpoint?
[00:06:10] Matt: Yeah, it’s all about transparency. And for me, everything that I was discovering, I would always keep my CIO and CEO in touch with and engage and help them understand that. Okay. With all the work that we do here, the majority of it is going to be control and classified information. You have to understand that if we don’t get prepared for this thing, that it’s going to prevent us from doing this type of business.
So that would be a big financial hit on the organization. So of course, when you frame it that way and understand that the impact it would have financially for the organization, they quickly get behind that. Timing can be something associated with that, right? Yeah. Because of course, not CMMC was going to be a true requirement.
So the way that I sold that really was a fact of, okay, let’s be a front runner here, let’s stand out in front of our competitors to indicate to our customers that we are already basically compliant at this point. I going through this assessment,
[00:07:02] Max: so you didn’t find it challenging, like, cause I’ve talked to a lot of people where, you know, we’re security professionals. We’re always delivering, like, not very good news, right? This is broken. That’s broken. Yeah. And the best we can do is, hey, how can I help you fix it? And the worst is you can’t do that. You can’t do this. Right. So when you first delivered this news to your leadership, how did the CEO and the CIO reacted? You mentioned something about timing. Like what was their take when you said, Hey, we’re ready. We’re going to call the government and get them to us, you know, Do this assessment through a third party and whatnot. Like, how did that really go down?
[00:07:39] Matt: Well, they were excited and then fortunately, I have a leadership team that trusts what I bring to them.
You know, I’ve developed a good reputation both in the organization and in industry. And they trust what I was bringing to them and they wanted to stand out. So you got to understand this has been an evolution over many, many years. I indicated The DFARS regulation and trying to be compliant with that in the 2017, I knew after we did that, we had a lot of things that we had to correct that would become a problem through CMMC, things like legacy infrastructure.
So it’s been a constant push each year with the various teams to ensure that we would truly be prepared for what the certification would require.
[00:08:17] Max: So a lot, a lot of legwork you had already done, you’ve already made the investment and the answer is easier at that point, right?
[00:08:24] Matt: Yeah, it was, it was continuous improvement for us throughout the cycles.
From when CMMC 1 was announced to CMMC 2. Understanding the timelines that came through. So we really hit the ground running at the end of around October, 2022. And that’s when we really started developing and requiring projects of the other parts of the organization to get through all the documentation, to correct a few deficiencies that we knew that we had based on how the rules had changed and, and once the assessment guide came out, knowing exactly what they’d be looking for was something that was, that really changed our mindset in terms of some of the things that we thought we had a handle on.
[00:09:05] Max: Yeah, actually we’ll dig into the government. How they treat different people. I think a lot of people get freaked out like, Oh, government’s going to show up.
So you got the management on board and you mentioned something about reaching out to the AB. Logistically, I sort of have an understanding, but at what point do you have the direct contact with the government? Is that all through the AB, or do you get to interact directly with the DBCAC, PMO? At what point does that happen?
[00:09:34] Matt: Yeah, that’s through the third party assessor that that happens. So once you work with your third party assessor especially when you’re talking about joint voluntary surveillance assessment (JVSA), they have to get approval to do that through your organization.
So they identify a couple of contracts that you’re doing that are government contracts with CUI flow down. They provide that back to DIBCAC, determine whether you’re a good candidate associated with doing the joint surveillance. And fortunately, we got approval pretty quickly to be able to get this done.
[00:10:02] Max: Nice. Now, did you start out with that? I’ve also heard DIBCAC typically does like, well, they do a lot of different assessments. Yeah. They do 3PAO, joint surveillance. And there’s this other thing called like NIST 171 assessment. Did you have to kind of distill which one you wanted to go with or, or how did that work out for you guys?
[00:10:20] Matt: Yeah, so the joint surveillance assessment is against NIST 800-171 against that control set. So we knew what we had to do associated with that. And we’ve been in contact with them a couple of different times just around their different capabilities and things of that nature, but nothing really came to fruition just based on our schedules and our focus on getting this done.
But going through the C3PO, knowing we had to adhere to these controls for 800-171, that’s really what the assessment is about is against those 110 controls.
[00:10:50] Max: Got it. Got it. Okay. So let’s talk about the day before or the, the minute before the week before. We’ve gone through it as an emerging C3PAO and as FedRAMP auditors. You’ve got to upload all this stuff. Everybody’s sweating, making last minute adjustments, right? How was that for your team? How did that happen? What was the impact on the team and let’s kind of just walk through that journey. When they got the information and the auditor showed up, how did that go for you guys?
[00:11:20] Matt: So we were a little bit last minute with our pre-assessment. We were not with our actual assessment. And that’s because that gave us a better understanding of what the actual assessment was going to look like, because it basically mimics it not in its entirety, but at a high level.
[00:11:34] Max: Okay.
[00:11:34] Matt: But knowing that we’d have to provide all that documentation, knowing exactly what they’d be looking for.
That was really the catalyst to ensure that we got over that finish line. And there were a couple of small minute things that we had to adjust based on what they discovered. So going into the actual assessment, we were ready probably a week before. To be ready to go. It was in sort of two phases.
There’s the virtual assessment that happens where they go through all your controls. You talk about how you have the controls applied, how you meet the particular controls. You provide the evidence. And of course, that one of the biggest things I can tell you is much information you can provide in that documentation, including evidentiary is going to get you a leg up and getting through that easily.
If you’re having to search for all that evidence and provide it consistently, it’s going to take a while. In fact, we actually did two different assessments in one.
[00:12:24] Max: Talk to me about that. What does that mean?
[00:12:26] Matt: We separated our Belkan government solutions business with Belkan engineering.
And the reason why we did that is because of prime contracts versus secondary contracts from flowing down. So Belkin gov has prime contracts and because they have prime contracts, they’re receiving a lot of RFIs directly through email. So we actually moved them over to a government compliance cloud high environment for every 365 GCC High.
So that group was operating a little bit differently. We said, okay, we’ve got this one operation over here. That’s different than our day to day for engineering. Let’s just do two, just in case. That way, let’s say, for example, maybe on the gov side, someday we want to go to level three instead of level two, we’ll just make it more simple for us.
[00:13:11] Max: I see. So you actually separate out and had two different scopes.
[00:13:14] Matt: We did, but the majority of the controls are still the foundational overlap. They overlap quite a bit. So a lot of them are overlap, and then there’s some nuances with some things. We actually had to do sort of double duty with documentation with everything.
It was even a larger lift than what a normal organization would do. But to that end, our C3PAO told us that this is the fastest that they had gone through a certification, let alone for two. Because of our preparedness.
[00:13:43] Max: You got double checked because I had no idea. So, did the DIBCAC the government auditors, did they kind of treat those differently? Or did they just follow their same kind of guidance for assessing?
[00:13:53] Matt: It was the same kind of guidance. And you know what, for those of you who may feel a little intimidated by the government folks on the line, They’re mostly in the background, and so the C3PAO is running the assessment, and then if they have a question from the DIBCAC of whether something would be sufficient or not, they’d bring that up to them, or hey, do you have any challenges with this or concerns with how this is functioning?
Basically just a general check they’re having. So once you get through that virtual assessment, there was some physical assessment that has to happen too.
[00:14:24] Max: You actually had somebody come on site.
[00:14:27] Matt: We did, but DIBCAC does not need to be there typically, depending on who the third party assessor is and their relationship,
[00:14:34] Max: Well, what about for you guys? You are local here at Cincinnati. We have Wright-Patt here. Did, did you have all remote or?
[00:14:42] Matt: We’ve got about 30 something offices in the U S we’ve got about 10 in the UK. We’ve got two in India, we’ve got one in Canada, one in Mexico. So obviously not all of those are in scope associated with CUI.
So what we did is we chose three different offices to visit for the physical assessment just to make sure that the controls matched. And two of the sites were where our primary and secondary COLO data centers exist. One here in Cincinnati, one in Indianapolis, and then the third site was down in West Palm Beach, Florida.
So they just basically separated their people and went to the different sites and did the assessments. And just verified the physical controls. So we were in good shape.
[00:15:21] Max: That’s something we talk about quite a bit is just being prepared because teams do get separated. There’s a lot of controls, 110 things you got to talk about.
And how did you manage that in terms of like separating? Cause you got 25 people. Different people have different knowledge, knowledge base. Right. So tell me a little bit about like, how did you kind of divide and conquer this on it?
[00:15:41] Matt: And it wasn’t just our team that need to be involved.
We’ve got infrastructure and core it operational teams that need to be involved too, because they’re a part of the processes, anybody who is involved in the processes that you’re documenting need to be involved in what’s happening. Because you want to play checks and balances and verify that they’re doing things the way that they say that they’re doing things, because that’s exactly what’s going to happen during your assessment.
So to answer your question around how we separated all those things, I mentioned the project level effort that we did we brought in a technical writer to help with the documentation, and we basically ran things in Agile sprints to be able to get through all the nuances associated with each of the controls, ensuring we had everything documented, ensuring that we had our evidence information, Copied and things of that nature and also playing the checks and balances that other staff to verify that that things were being done appropriately the way it was documented.
[00:16:32] Max: Yeah, I’ve heard you say documentation quite a bit with Slack.
[00:16:35] Matt: Yeah, obviously there’s the system security plan, but there’s more to it than just that. System security plan is sort of a high level of this is sort of what we do to meet this control. You also have to document all your processes and procedures for how you manage those things, right?
Because it’s not just the technology that you need to document in the SSP, it should reference other things that the other teams are doing, exactly what they’re doing, in order to address that particular control.
[00:17:03] Max: Got it. Yeah, I can imagine. That’s a For an organization like yours, two different scopes, global That’s gotta be quite a bit. That’s awesome.
[00:17:11] Matt: There’s no way you can do it without great people.
[00:17:14] Max: So let’s see if we can get to like some of the challenges. People want to know candidly, what are some of the nuances maybe between the two entitie? Because you’ve got a global spread and a lot of organizations are challenged with that.
And then also, what are some of the takeaways? What are things you learned directly from DIBCAC versus that C3PAO? What are the different, challenges that you kind of picked up and insight from interacting with those two different groups?
[00:17:42] Matt: Yeah, so let’s talk about initial challenges prior to going through sort of the pre assessment and assessment phases versus getting over the finish line and things of that nature.
So from initial challenges, I mentioned when the assessment guide came out that we realized that some things work as they said they were. So a lot of things with initial documentation for controls from the government. It’s a little bit of based on your understanding of the control, right?
[00:18:10] Max: So a lot of interpretation
[00:18:11] Matt: and we implemented things based on that interpretation and of course, some of those things were incorrect based on the assessment guide. So that was a little bit of a challenge to get around that and to plan for some of the corrective actions associated with that. I knew we’d have to do documentation and we had quite a bit done prior to our pre assessment, but there were still some gaps that we had to do. There’s a little bit of nuance detail.
[00:18:36] Max: Did you find any conflicting information? Let’s say a person said this, but your internal team believed something else. What are some of those conflicts that you were like, man, I didn’t know this?
[00:18:52] Matt: Yeah there was one conflict in particular that I actually pushed back on DIBCAC on. We’re not doing the assessment. We’re allowed to do that. If you feel like you’re meeting the control.
[00:19:01] Max: So what was the conflict? And let’s dig into how, how you pushed back.
[00:19:04] Matt: Yep. The item in particular was around the FIPS validated encryption. That is the biggest challenge we’ve experienced is that one in particular because there were only certain technologies that don’t meet the control, and if you’re storing, processing, transmitting data that’s controlled on classified information, it has to be FIPS validated, not a FIPS protocol or FIPS
[00:19:27] Max: algorithm, but it’s got to be actually validated on the site.
[00:19:30] Matt:It’s got to be completely validated. So if it’s not validated, it’s not appropriate. So. And the challenge that we had was with our backup tapes, our backup tapes were using a FIPS approved algorithm. But the infrastructure behind it was not FIPS validated.
[00:19:45] Max: I see.
[00:19:46] Matt: Because we were shipping those off, and they were in transit moving to a third party provider that securely stores that for us that shipment, and because it’s in transit, it has to be encrypted with FIPS validated. So that was the biggest challenge that we met with that.
[00:20:03] Max: I think you’re not alone in that. I’ve talked to a lot of people, and they’re like, I hate FIPs.
[00:20:09] Matt: Yeah, so I’ll tell you how I push back. I actually push back in two ways. I push back in one way because level three actually doesn’t state FIPS validated.
Okay. It states something to the effect of organizationally defined encryption.
[00:20:27] Max: Okay. Right. So like a parameter that you can adjust.
[00:20:31] Matt: The second piece was because the storage was being stored in a secure facility and it was transmitted in an improved box, like a lockbox basically. We stated, okay, this is where other controls are satisfying the protection of CUI and transit in this case.
[00:20:50] Max: So you had some mitigations.
[00:20:52] Matt: We had some mitigations. But they disagreed with us.
[00:20:56] Max: So it’s not a black and white? How did you get them to break? Because that’s the fundamentals. That’s the essence of risk management. Because right now, everybody’s like, no POA&M, this, that, and the other. But there’s always the gray matter. How did you crack the code for “Hey, I don’t have to have FIPS everywhere.” That’s hard, man, so I’m interested.
[00:21:21] Matt: I give credit to our C3PAO because when I pushed back, they pushed back on DIBCAC as well. They decided they’d go and discuss it that evening, and the next day we came back, and unfortunately they decided that That was still an issue for us. So that was actually the only open POA&M item that we had. Was to resolve that issue even. But here’s the thing, Belcan Government Solutions didn’t use backup tapes because all their CUI is in the GCCH environment. So they actually end up with a 1100, outta 110 immediately.
[00:21:52] Max: Nice. It’s the other side
[00:21:54] Matt: It’s the other side that had to deal with that open item.
So it really just came down to, if you understand the language, you understand the controls and being through this. And you feel like you’ve got mitigating controls to address them that meet within the other criteria. It’s okay to push back a little. I wouldn’t push back on everything.
[00:22:12] Max: Yeah.
[00:22:13] Matt: I think that would be a deterrent to what’s the intention is of protecting controlled unclassified information.
[00:22:20] Max: But pushing back on something that you believe. You’re addressing and meeting the intent of the control. You saw a DIBCAC being a little bit more reasonable. I’ve heard that.
[00:22:30] Matt: You know, honestly, I felt like it was, the whole thing was reasonable. I felt like, I felt like it was not nearly as challenging as what people were making it out to be just from a, It was a lot more laid back, I guess, than I would have thought.
[00:22:42] Max: I’ve been on the government side, right? The government gets blamed for all sorts of weird stuff. Like, Oh man, they’re this, that, and the other. But it sounds like your experience was pretty positive.
[00:22:51] Matt: I’m happy that they’re moving forward with these controls, right? This is national security issue.
Everybody’s been asking for this for a long time and getting to the point where we’re finally. Here where it’s an actual requirement for these contracts, particularly around the defense side is critical and, you know, obviously being very supportive of that being sort of an early adopter, but I was excited to go through this and I think the majority of my team was excited to go through this and to get this assessment done.
But it wasn’t really challenging. You hear a lot of stories with working with the government on things where they’re all hard asses about things. And certainly we want them to be thorough and they were, but if you’re prepared, it’s just like any other assessment, really.
[00:23:36] Max: I think security people are the only ones who are excited about going through assessment. I talked to CFOs and CIOs. They’re like, Oh no. The totally different mindset.
[00:23:49] Matt: Well, we’ve been asking for this kind of thing. I demonstrated my excitement with my leadership team. So they were excited for us too.
[00:23:53] Max: That’s cool!. That’s awesome to have somebody on your side from the leadership side of the house. So any key takeaways. We’re at the tail end of this. I think you provided a lot of insight. I really appreciate it. I think a lot of people are struggling with that FIPS control.
There’s hundreds of controls that they struggle with, but that is probably the number one thing that I hear a lot of complaints about, but as a takeaway, any other lessons learned, soft, hard, technical skills, anything. For somebody who is looking to do this, what would you tell them? Like, how can they prepare for this?
[00:24:26] Matt: I could probably talk about that for hours. Maybe it’s like in podcasts. So the biggest thing I would say is if you can limit your scope, it’s going to make things easier for you. Right. So we did this mostly organizationally, not the entire organization, but the majority of the enterprise, right.
Which is a pretty big lift, but if you’re only doing working with CUI in a small frame within your organization, it’s going to make your lift a lot easier. And if you can compartmentalize that, makes things a lot easier in terms of what you have to document and prepare for. Certainly understand your scope, make sure you document everything associated with your scope, make sure you document what type of assets of those are and how they’re involved as a part of the organization and how they’re involved as a part of the operational process.
Make sure you document that operational process from there. That’s going to help you to understand each of the controls for each of those areas. Start diving into each of those controls associated with each piece of that puzzle and again, document, document, document.
[00:25:25] Max: I think what you are touching on is so important. A lot of big organizations have resources, right? We had a CISO of another large organization, Battelle. Downstream suppliers, they don’t have that many resources.
So I think that key takeaway of limiting your scope and documenting is important. But now tell me about the skillset side of the house. Cause I’m really trying to get information out from you for all the other impacted parties that don’t have 25 people. Yeah, there’s a lesson on doubt.
[00:26:03] Matt: I think the biggest thing there that we were missing is just somebody to focus on the documentation, which is why we hired the technical writer that really sped things up. And he did a fantastic job of really, really focusing and diving into things. We actually moved him over to our compliance organization after we were done with that effort and he’s been doing very well there too.
But in terms of skill sets, if you don’t have somebody that doesn’t understand your technologies and you’re lacking that skill set, you’re going to have to figure that out because you all the controls are specific to each of the technologies that you’re leveraging. If you don’t have somebody who understands encryption, obviously, that’s a big deal.
Make sure you’ve got somebody who understands that well and understands how to implement the different algorithms necessary because it’s not just the FIPS validated systems, it is how that data transfers and ensuring that you’re using the proper algorithms associated with that transference as well.
Those are probably the two biggest pieces, but really it’s dependent upon how you’re supporting controlled unclassified information. What technologies are you using? What’s the particular work that you’re doing? If you’re doing manufacturing type work too, you got to make sure that you account for that and associating with CUI and controlling and protecting that there as well, so.
[00:27:11] Max: Awesome, Matt. Well, I know we wanted to keep this kind of short and light, but I really appreciate you coming on this. I think we talked a lot about a lot of different things. I’d love to have you back on, maybe dig into what is CUI, supply chain concerns, because as you know, this topic, like you said, we could talk for hours.
Like I’ve genuinely enjoyed this conversation. So I really appreciate it. And I encourage everyone who’s listening to connect with Matt on LinkedIn.. So thank you so much, Matt.
Thank you for tuning in. If you enjoyed the podcast, head over to www.ignyteplatform.com/Reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.