Has CMMC Changed Cybersecurity Culture Forever?

Welcome to Trust Issues. On today's episode, we're joined by Dr. Karen Connor, founder of Rethink Labs. She's a cybersecurity leader specializing in compliance, organizational change, and federal business strategy. With certifications including CISSP, CCA, and PMP, she brings both technical depth and leadership insight into one of the most confusing areas in cybersecurity today. CMMC readiness. So, welcome. We're really glad to have you. First thing is just how does one get into this space? You know, I see that you have your PhD, really curious how one goes from that, or maybe there's even a story from before that, coming into the CMMC space. Thank you, Brandon. I do everything just a little bit backwards. So my PhD was a much later in life thing. I started out in the Navy as a CTM, which is a cryptologic technician maintenance, and I started building systems, troubleshooting systems, maintaining large systems that I had no idea even existed, obviously, before I joined the Navy. That is how I got in the federal space. During that job, I got a lot of collateral duties. That's what we call them in the military. They're collateral duties. They're not your actual job, they're just a job that you're going to do in addition to your actual job. One of those was command training, and I started to really get involved in how people learn, how do I get them to not just pass the test, but retain the information. And I got really fascinated in how the brain works. So, as I finished my time in the Navy, I built a few businesses. I'd been a federal contractor, a government employee, and in some time in, in the mid-2010s, I decided I wanted PhD. This was for me. This was not because I needed one. Obviously, very few people do. Um, but I really enjoyed the learning process. I probably would just go to school full-time if someone would pay me for that. And that's where I started to focus on cognition and instruction specifically. How do we help adults who are going to work every day really understand what they're doing, maintain that understanding in a way that creates understanding across the, the whole board, the whole, the whole company, um, and brings value to the organization while they're there. Um, but also sets them up for whatever career path is next. Um, one of the other collateral duties I did was career counseling.. And so, how do we set you up for life after here? Because you're not staying here forever. So, that's how I got my PhD. I spent my whole time in, in the government as a national security person who worked in a lot of IT systems, a lot of architectures and infrastructures around just general IT, satellite communications, and my, my final love, cybersecurity. So, I was building systems across those spaces for more than 2 decades, not to age myself. And I just, I genuinely love it. I love to take people from, I don't really understand this to, oh, I fully understand this and I can do this. So that's, that's kind of how I got into the readiness space. I prefer that much more than passing or failing individuals in an assessment. I would rather help you get where you're going to pass and be able to pass with confidence. Wow. Yeah. I mean, just from that background, I can tell why CMMC is a good space for you. Yes. So, I speak fluent government regulations, whether that's FedRAMP, whether that's RMF, which they use internally in the government, or CMMC. They all are similar but different, and we can, I can help you with all of them. Happy to teach you where we need to go along that journey as a team. Maybe tell the audience, like, kind of where do you fit in the space of the CMMC world? Like, are you an RPO? Are you a C3PAO? Like, are you an MSP? Like, kind of like, Where do people find value in your services? I am going through my RPO registration in the next couple of weeks. Right now, I am a CCA who can come in and consult with you to talk about cyber, talk about why CMMC matters, how do you get your organization, usually reluctant organization, to get the executive sign-off and move forward. You work with clients today and they come to you and they say, "We're ready." What do you find when you start working with them? My favorite clients are the ones who come to me and say, "I'm absolutely not ready. I don't know what to do, and I need your help." When I do have people who come to me and say, "I think we're ready," I do find a lot of them are, are not ready. This is a very specific requirement set that has very specific characteristics and requirements specific to the federal government that not everybody in the commercial world has to abide by. And even long-term federal contractors haven't had this in the past. So, they think they're ready, and then I come in and I'm like, "Oh, but we don't really actually know who has access to your systems." And they're like, "But they all have a login and a password." And I'm like, "That's not the same thing." And so, I find a lot of people who say they're ready are actually ready. I often find that when people come to us, they say, "Wow, this CMMC stuff is coming out of the blue, it's all this extra work now. But like, didn't they have to comply with like DFARS 7012 this like the last 10 years? And are they essentially just admitting that they weren't doing anything about it? I try not to assume malicious or negative intent. What I will say is this is surprising for a lot of people, though the government is very famous for hurry up and wait, though it should really be wait and hurry up. So we've been talking about this for a really long time. I think where people get caught up is it takes so long to make these sweeping changes in the government that everybody's like, "Oh, it's not now, it's not now, it's not now," and then finally it's now and we have to do something about it. And so, that can feel a little bit abrasive and abrupt for people who are already functioning in this space. And so, I think DFARS are interpretive, right? Like, people interpret those different ways and they're like, "Oh, I definitely meet this," but they didn't have anything to assess against, really, because there was no criteria where somebody was looking over your shoulder and saying, "You said you did this, but I can see these 18 examples of where you have not." And now we have that, like, audited space where people are really looking at what you do and saying, "Oh, you missed a few here. Let's fix that." And so, that's also why I really love the readiness game because you get to help them build this from scratch instead of just being like, "Nope, you failed." Um, because that's the worst thing ever to say to anyone, um, especially when you're spending as much money as you're spending for the CMC space. There's something fun, I think, um, that all humans like in like building stuff and building out capabilities. You know, I think it's why games like SimCity or Zoo Tycoon are always a lot of fun is 'cause it's like you're going through the process, it's new, you're building stuff, and, and it feels fun to be able to like at the end of it be like, oh wow, like I truly am a different company. You know? Yes. And it, it's a huge culture shift that people struggle with because it's not your IT department. I would say, while they have a big part of this, they're like the least important part of this, right? It's, it's a culture change. It's a, do all of my people understand? Does HR know what I need from them? Are people really badging in like they're supposed to badge in? Um, I, everybody tailgates, like I badge in, everybody comes with me and I don't know who's in the building. And, you know, like these are things that nobody thinks about until you have, you're like, you you're shown a document that says you can't, you can't do that, and it's gonna cost your company a lot of money when you fail and have to redo the CMMC assessment. So it's a culture shift that is so much larger than IT or cyber. That is where I think a lot of people struggle. I like your point. You know, for me, I see when people talk to us, it's always, most of the time come from the IT department and the IT think they're in charge of the CMMC process. Yes, they have the big part of it, but at the end, most of the time, they are okay on the IT side. You know, what they don't realize is, hey, is it exactly like you said, is everyone else on board from the top down? You know? Right. Because IT's got it, but I bring in Sally, who touches CUI every day, and she's like, I have no idea if I can email this or not. Um, and there are times when you absolutely can email CUI if you've spent the money to be in a system that allows you to do that. Feel free. But they don't have the understanding that I'm actually not in that system and I have this Dropbox that is rated for CUI, and that's the only way I can accept it. And that's where I think a lot of people struggle because IT's got it. They're like, you cannot do that. But maybe customer support doesn't know that, or maybe finance and accounting doesn't know that, and they're inadvertently touching CUI outside of the boundary without even acknowledging what it is. To that point, where IT is not the only people who should be involved, who do you find, like, for example, when people are drafting, like, their policies and SSP, do you find that, like, your clients, it's often, like, IT who's, like, doing that type of stuff? Yes, I do. I feel like when we get a CMMC requirement, they send it to tech, and they're like, "Go do this," and tech's like, "I mean, I can write this down, but are you going to follow it?" And then there's, well, who owns it? Who's going to sign what policy? And this is really any federal requirement, no matter what it is, you are talking top-down. And that means if you're doing CAA, DCAA, if you're doing FedRAMP, if you're doing RMF, it doesn't matter. If you are functioning within the federal government, I need your executives to really be on board with this. I can't do it without them. I can't have them taking shortcuts because it makes their day a little bit more efficient. I need them involved so that everybody knows this is a decision we're making as a company, that this is important to us. This is the business line we're interested in and we're going to commit to this. Right. Right. Wow. I wish all our prospects were like that. Yeah. But no, I think exactly. If I look at all our prospect or client we talk to, exactly like we said, it starts from IT. IT is the one driving, they have to chase everyone else, and everyone else is wondering, why do I have to do that? Okay, I was not told, I was not, you know, I didn't— whoa, it's so many hours I have to put together. Whoa, I wasn't told this either. You know, it's just— and I think the worst for me is people realizing that this is only the beginning. You will get your certification and then you have to follow the process month after month. It's, you know, you have to have your program, you have to have your risk assessment. It's just how you are going to run. It's not the IT of yesterday, you know, so. This is an everyday thing. And I think even if you're not working within the federal government, I think CMMC is for everyone, right? Like these are best practices that are not specific to the federal government. Everybody should be doing this. It's not convenient. Like, like if you, if you put me in my program manager hat and you've got your like cost and schedule and, and like, what's the trade-off there? It means you get to be a company tomorrow because maybe you've prevented a breach that would've taken you down. It's, you still get to operate because you have this plan over here that said, if something goes wrong, here's what I do, right? So in, in this work, I end up doing like a lot of business continuity because people don't know what that is, especially out in the commercial world. They're like, what do you mean? And I'm like, what do you, what do you mean? How do you not know? So we spend a lot of time talking about like, why are all these things important? How do they stack onto each other? How do you build an entire culture of security. In the government, we talk a lot about things like OPSEC and what does that mean and how— and that's operational security. Sorry about my acronyms. How do we keep operational security at the human level, but also at the tech level? Like, are you doing the same thing every day? Do you have your phone on everybody's guest network? Do you understand what happens when you do that? Those type of things all kind of combine. When I come in as a readiness person, I get to talk about all of them. And like, admittedly, I'm a nerd, uh, so I love all of these things. And so it really brings me a lot of joy to help companies realize, hey, I could be doing this better and it benefits everyone, not just my federal contracts, but my business in general. For me, I love what you just said because again, if I look at BMO and me being the CISO is we are, we are SOC 2, we are ISO, we are HIPAA compliant. Yeah, CMMC, but now we are running as a CMMC. Exactly like you said, from my learning is CMMC brought for me some best practice that we were not doing, that we are now going to do. And I feel like, yes, it's a lot more work, but I will sleep better at night. In my dream world, people are already doing these things because they are best practices and because we do. Especially in 2026 with Mythos and all of the other AI tools that are coming out that are gonna be able to rapidly destroy businesses who are not attuned to what's happening. My, my dream world is I come in and you're like, I'm already there. Maybe I need a few tweaks to a policy, but this is what we do because it's, it's how we keep our employees safe. It's how we keep our business safe and how we can continue operating. In the CMMC Field Guide, you mentioned that the CUI boundary confusion is one of the most common and costly gaps. Gaps that organizations miss before assessment. Uh, I, when I read that, I was like, this is really interesting. So, like, what do you mean by that? Boundaries are hard, especially if you've never had to draw a boundary, because everything's so interconnected now. And I'm not saying that's wrong, I love interconnectivity, but it's interconnected in a way that we don't fully understand. Like, maybe we don't have great data governance and we don't know, we're not tagging our data properly, so we know what is flowing where and how it's supposed to be treated and handled. Um, when we get to a boundary that we draw, we— I usually find like super big ones, like everything is in the boundary. That's your choice. That's definitely a choice. Um, but that's an extensive choice. And, um, well, I would argue maybe even most secure, it's still expensive and maybe not likely to be able to be maintained over time. Or they're really small and they're like, no, I don't do any of this outside of this boundary. Yep. We have one person who does our federal contracts, and she's the only one who is ever going to need to have this protection. But then she needs a coworker, like maybe a software engineer, because she's building software, and she's like, "Read these specs and give me back your LOE." And now those specs are CUI, and we have crossed the boundary without even realizing we've crossed the boundary. And let's be frank, like, government data isn't always tagged properly. So maybe she really didn't know because it doesn't say CUI on the COVID page or any other page after that. And so those are the cases where I find like we build this really small boundary, but we didn't understand our workflows and how they interact with each other. And now we have a compliance incident. Do you know, to your point, what I see very often on that topic is, again, there's for me a difference of someone that wants to be CMMC for the paperwork or someone that wants to shoot CMMC for the best practice. And if I want the paperwork, ah, I want to be as small as possible because, you know, that's it. And it's not like, no, be honest with yourself. Where, where are you? Where, you know, to your point, don't, it's not everything, but it's not nothing. The reluctance to expand the boundary because that's more training, that's more people involved. But a data breach is way more expensive than training your people how to treat CUI and protecting it accordingly. A data breach ruins your whole company at, at some— and now that they're using the False Claims Act for cyber issues, like, you can't afford a federal contract data breach. You can afford to prevent it, though. And if you can't afford to prevent it, then maybe we, we should talk about whether or not you're ready to enter this space. I have a lot of, a lot of people that I speak with that are like, "Well, I'll do it when I have a contract," and that's not how the government works. I, I get it from a business perspe— I mean, I have a bus— I know Sometimes it costs money that you don't, you're not earning back, but the ROI could be huge if you do it right. And so we get a lot of that too. Like, well, it's not contract time yet. I'm like, can you do this in 60 days after your contract? I, well, we doubt it. And so let's start what we need to start here now. And then as you get closer to getting that award, maybe then you engage with the C3PO. I don't recommend that at this point because they are drowning in trying to get all these assessments done, and that really can impact your business line. There's a lot of cost, which rightly so. There's a lot of questions from the business level, like, does this make sense? Um, but you can't have both, right? You have to pick. But you know what I find interesting on my side is we have many customers that come that already self-certified themselves before. And you are like, and you open the hood., and you are like, there is no way. I'm sorry, but you know, there is no way you, you self-certified, but you are not ready. It's the same with company that come from hospital. They are HIPAA. You open, you are not HIPAA compliant. So all the self— yeah, I always found that always very dangerous. Yeah. I always found that this self-attestation has always been kind of a joke in terms of when they come to us., and we say, all right, like, go ask me, gimme your SSP, and your SSP's 50 pages. And I'm like, oh. They're like, oh yeah, we have an SSP. Like, checkbox, done. Onto the next thing. I'm like, oh no, like, this SSP's not, it's not real. Right. Right. Yeah. It has like no actual technical data in it. And you're like, oh, but how does this connect to this? And what data's flowing over that? And they're like, well, all of it. They're like, why are you asking so many questions? Proprietary information. That's why I signed this NDA. Yeah, because they're gonna ask so many questions. I'm here because I work in the readiness space. I'm not here to judge you. Like, I get it. I fully understand. I'm just here to help you, but I can't help you if you're not honest and transparent with me. Like, I keep my inside thoughts inside. I'm not like, whoa, who does this? I really just wanna understand so that I can help you back out of that to get where you need to go. Um, but I think a lot of people are, are very reluctant to be that transparent. Uh, and it's a little bit vulnerable, right? Like you're saying, I didn't do this right, and I need you to help me with that. And nobody loves that. Not— I haven't met a single human being, maybe Brené Brown, and I fully respect that. But like, nobody else is like, I really suck at this. Can you help me? You know, it's interesting. Sometimes Brennan and I go on calls and after the calls we're like, okay, we are not bringing that person as a client. No way. That, that person would, it, it will not work. That person is in dreamland. Think, okay, that's okay. We, we are not here to tell you, you have to be honest. We'll tell you if we can take you there. But if you are trying to sugarcoat, because you can see when people, oh yeah, I have this. Oh yes. Yeah. Okay. Done. It's not, isn't there. Yeah. Like when you have like the CEO who's like, oh yeah, like I'm doing it all myself on the side. Like how, how much time are you spending doing this? Yeah, like 4 or 5 hours a week. Okay, you're never gonna get there. What is your timeline for completion, uh, is my very next question. Like, you can do 4 or 5 hours a week for 4 or 5 years, and absolutely that's valid if that's what you have bandwidth for. But let's set our expectations in reality that you can't spend 4 or 5 hours a week on this and then expect 2 months from now to be certified. So we have to level set what that looks like, and maybe that's me. Really helping you through that. But when I'm in a readiness capacity, I want to make sure you're understanding what I'm saying, because again, this is not a paperwork exercise. This is a security mindset that needs to be ingrained in everyone who's going to be working these contracts or within your business. Cool. One of your recommendations is also the strongest preparation you can do is to examine, test, and interview your own environment the way an assessor would. How should companies do this? Do they, like, set up pods within the company to do it themselves? Do they hire someone in Readiness? Do they hire, like, an LCCA to, like, go, like, go do this for them? Like, what's your recommendation there? I think it differs between companies, right? Like, if you have some really good cyber folks, really good people who understand regulations, really good compliance people, like, you don't have to be cyber brilliant to understand how to assess these things. I think it really comes down to knowing truly, doing your like introspection and saying, I think I can get 75, 90% there with just doing this myself. In the age of AI, you can get your questions list without even putting in your proprietary data in any one of these AI apps. And you can use ChatGPT or Claude. I, I don't care which one you use. Say, I'm preparing for a CMMC assessment. What should I, what interview questions should I be looking for? What test artifacts should I be looking for? And it'll spit it out for you. And so maybe you do that before you even call me and it saves you a little bit of money on the consulting hours. I'm happy to even direct you in that way because, well, we all need— we're all running businesses here. We're all out to support ourselves and our employees, but I also want what's best for your business because it's important to me to support you the way that I— the best that I can. And I can't do that if you're not helping yourselves. And so I think what I would do if I really did not understand this space is I would be, hey, Chat, listen, uh, here's what, here's my situation. I'm, I, I wanna be CMMC compliant. What, what do I do first? And, and have it really give you the things that you're inspecting, give it the things that you should be documenting, give it your interview questions, and just try it out. Uh, because after I leave, after we're like, everything's good, paperwork's done, boundaries secure, we, we've tested this. You should be testing that kind of regularly, right? You don't want it to be at your annual assessment where you're like, I actually don't know, uh, after I spent all this money, did all this work, and it was waiting until the next time I had to renew, and nobody now knows what we're doing. So, I would look for your, your compliance person, your, your auditor to internally audit yourselves on a regular cadence where nobody's freaking hitting, constantly asking like, okay, what other artifacts am I looking for? I would be curious to know from your perspective, what do you think is the way to make people change their mindset? Again, they come, they want their CMMC paperwork, but at the end, like we discussed, is you will only be successful if you have a mindset of security first, you know, you want it. What do you think from your perspective, are stuff that will make a CEO change his, you know, his or her mind? I get really clear about the risk assessment, and I, I just ask, do you have $500 million you could pay in fines? And we start really talking through what that, what that means. And not just for your federal contracts, but a lot of these companies have a commercial business and a federal business, and like, your federal business can absolutely affect your commercial business and vice versa. And so we start really talking about a detailed risk assessment and like, what does that look like if you have a breach? Can you afford it? Because a regular risk assessment is something that companies are largely familiar with. So, they understand I'm going to buy a risk or I'm going to pay for the risk on the other end. Like, there's a lot of ways— buy it back or you're going to pay for it after the fact, and that— but all are valid decisions, right? It just really depends on where you want to spend your money. So, we start to have really detailed conversations about what does that look like in practice. If this happens, are you prepared to pay this much? And these damages. And sometimes I have a lot of luck. Sometimes they're like, okay, Karen, but at the same time, this is the requirement and that's non-negotiable. So it really comes down to, do you want to do this or not? And it is very binary. It's not like a halfway. You have to pick yes or no. And I'm happy to get you there if your answer is yes, and I'm happy to talk with you next year if your answer is no., but we have to be true to the business and, and the intent of meeting these requirements because it will eventually catch up with you, uh, in some way. And how does that conversation go? Like, you say, like, all right, like, let's talk about, like, how much are you earning from these federal contracts? And you say, like, all right, well, if, if you don't do this and you lie that you are compliant about this, you're gonna get fined. What, like $1.5 million or, or like how does, yeah, how does that go? Well, differently every time. I would say that the people who are most familiar with the federal space, it's a lot less of a discussion, right? They just, they just already know. They're like, I totally understand the False Claims Act. I know how that works. I read the news where we have these large contractors paying $400 million and $500 million, and, and that can't be me., I have other ones that are like, I'm willing to take the risk. And in that, in that case, and I try to have this upfront, I don't, I don't wanna be part of that. Not gonna put my name on that and, and jeopardize my future or my company. And that's okay. And I, right, or like, this is your decision. I just can't, like, I'm not on the same page. Yeah. I'm not part of it. Yeah. Yeah. Yeah. We, we have a, we have a SIM, so we have a SIM. Yeah. Yeah. Yeah. It's, it's good when you, I think it's a lot easier to have to be able to say that when you're not like an employee, like when you're your own business and you're like, I can choose whether I take on this business or not. Whereas like when you're an employee of maybe said CEO and it's like, all right, well, I just have to kind of go along with whatever they say. That makes it, I think, really uncomfortable and almost why I think self-assessments are problematic, right? Especially depending on how your organization is set up. So, like, if you have cyber as not an independent organization, but reporting to, like, a CTO, for example. Or CFO, you know? Or CFO. We see companies with CFO. I actually have more problem with them reporting to the CTO, because the CTO tells them what they do, right? Like, and they're like, "I need to do this," and they're like, "We're not funding this." Make it happen anyway, and then we, that's where we shortcut, right? Like, the CFO does absolutely hold the purse strings, fully acknowledge, But the CTO determines whether or not the tech roadmap meets the requirements. How do you balance the business requirement when your tech leader is like, "I'm not doing that. It's just not in my roadmap. I don't wanna spend the money there." And that is where I think it screams lack of independence of your cyber organization to not only protect your company data, but to be an independent auditing body of the company and of the boundary, because cyber's gonna audit this boundary, right? Like, they're the ones Palmer all the time are gonna own this paperwork and be doing those internal audits. And if you're reporting to the person who, who is in charge of all of these architectures and infrastructures, then, then you've got a problem, right? Because who wants to tell the CTO that I failed because your team didn't, like, no one, literally no one. So, I'd rather tell the CFO, look, I can't afford to do this, and here's what I need. CFO can go tell the CTO, you need to get this done, right? Like, Just some independence that we really need to keep between, like, technology, like product development, engineering, things like that, from the cyberspace where we're auditing how well you're doing what we ask. Where do you think it, it reports to then? Do you think it should, like, truly be, like, an independent thing where they report to the CEO, or do they report to operations? Been going over this in my head for weeks now. I truly believe cyber should have a direct line to the CEO, and whether that's through a COO or a CFO, I don't care. Where I struggle with the conflict is when it's the CTO, because there's a lot of things going on in tech, right? There's product development, there's engineering, there's infrastructure, there's all these things. And then you've got cyber trying to compete with all of those things under the same boss. And I'm sure you all know where, who gets prioritized, like your revenue generating audits. Yeah. Or your cyber who's like, I'm gonna make your job a little harder because we don't wanna have a breach. And so, I, I, I don't know that I care really, other than when it reports to the CTO, we struggle with getting things done. In my perfect world, it should be its own vertical, right? Like, cyber is an independent body. Compliance, or, I mean, there's a million ways I could, I, I would place it. I, I just have seen it a struggle when it reports to the CTO, because then we have a lot of com— competing priorities, and we're competing for funding, and all these products are revenue generating, and cyber is not, but it's a necessary evil. Like, we have to be here saying, don't do this. And then, the CTO's like, but I need to do this. And there's only, again, it comes to the risk trade-off, but it doesn't usually work out well. I have a follow-up question on that. The issue that I see on my side is, so we deal with small business, so you can convince the CEO at one point, so we convince the CEO, the CEO says, okay, yes, I think we need to do it correctly. Then we deal with the IT team. The IT team, you'll find it's one or two person that have been doing that forever and that we are used to, you know, I am the global admin, I can change whatever. And now you are going to tell them, moving forward, you have everything start with a ticket. And, what do you mean? I don't want to do that. So it's kind of a change for their world as well. Any advice? I think everyone hates tickets, me included. Like I always say, I'm like the worst cyber person sometimes because I don't enjoy the inconvenience, right? But it is a necessary evil, and I suck it up and do it, right? I say start small, right? Like, maybe it starts with the IT person creating the tickets themselves, right? Because you need an auditable record of these changes so that you can trace back if something goes wrong. We're all hoping it doesn't go wrong, but in the event that it does, I want it documented that Sally changed this on this day at this request because— and now we can be like, ooh, that was not the right decision. Let's go undo that, roll it back. And now we're good. So I've seen it start with the IT person creating the tickets and then slowly rolling out to like lower-level people because that's usually the easiest ones to conform. You now need to create a ticket to IT. And you may call me and say, "I know I'm supposed to create a ticket," and I'll be like, "Great, let's pull that up on your screen right now and I will walk you through that." And then we create the ticket together. They're doing the work, I'm just talking them through it,, and then eventually it gets to the point where they just know, right? Like, it's, that's really change management, not policy. And change is hard. We are not designed as human beings to just be like, change is fantastic, right? Our little lizard brains are like, I'm looking for the same every day, 'cause that's where I'm safe, that's where I'm comfortable, I know nobody, like, no predators, nothing eat me. Um, and so when we're doing changes at this scale, you gotta start small, and then you start from the bottom up usually for these types of changes with support from the top level. Knowing they're not gonna put their own tickets in for a little bit. And then eventually, as it goes up level by level, now we have everybody putting a ticket in with rare exceptions. Like maybe the CEO's gonna call me and tell me to go fix this. And I'm like, yes, ma'am. I will get right on that. But I'm putting that ticket in, right? Like— You all bring the ticket. Yes. Yeah. Happy to do that for you, ma'am. Let me just get right on that. And then I'm putting the ticket in, CEO said, and I'll tag them in it. And In really good, good companies, the CEOs put their own tickets in, right? Because what's good for the goose is good for the gander, right? That happens sometimes, and, and sometimes it never does. But either way, I'm tracking that work because as, as the IT person, that's my responsibility.