The Evolution and Enforcement of CMMC with Jacob Anderson

If you want to be a CMMC contractor, the first thing to learn is go and read the actual CMMC. Get that down, learn as much as you can about it. Look at the nuances of the CMMC. It's not just cyber again, it's a lot of other stuff. Then learn one of these PRC platforms out there that makes sense for you if you're going to be doing this on your own. Welcome to Trust Issue by DMO, the podcast where we go beyond checkbox compliance and get real about security. In every episode, we break down what's happening in the world of CMMC, cybersecurity, and GRC straight from the people building or Auditing and Living It. Real conversation about real security. Welcome to Trust Issues. On today's episode, we're joined by Jacob Anderson, founder of Beyond Ordinary Software Solutions and a cybersecurity leader with over 40 years of experience building secure systems in regulated environments. Jacob has spent decades working at the intersection of software engineering and security, designing secure delivery pipelines, implementing DevSecOps practices, and helping organizations operationalize frameworks like NIST and CMMC in real-world environments. What has been so like— why are you so passionate about this space? Like, what's so exciting about this right now? Oh, you know, you gotta wheel it back to when I was just got out of college at Los Alamos, you know, and I had just gotten on with a group of people who were doing cybersecurity stuff, you know, and it was It was a lot of fun. You know, these are old people like I am today. You know, these guys were old people, but they knew a lot, right? They were something else, you know, and this was in the '90s and they knew a lot about cyber because cyber was a real deal back then too. It's just, you know, it was really quiet and not a lot of people had understood that it was such a serious problem. But that really got me hooked. You know, I really liked it. I really liked doing it. My big thing was always about like, how do you detect when someone's exfiltrating data? You know, the whole data hiding, subliminal channels, you know, cryptos, that kind of stuff. It's fun to me to know like, when can I see when someone's doing that? They were more into like infiltration and understanding how do we get onto someone's desktop, you know, and how do we move laterally, you know, what kind of stuff can we exfiltrate, you know, and how do we make it look like we're not exfiltrating? So we were really, really good at that, of course, right? But, uh, because yeah, we know how to find the people who are doing it. So we know how to hide from those people as well. Right. So that, so that, that's kind of how you got into this whole space. Like you weren't like, uh, in the Navy or something. I feel like half the people I talked to kind of started in the military. So it's cool to have someone who's just got into cybersecurity out of college. Just in the wild, you know? Yeah. Just in the wild at Los Alamos. In the government. So pretty much everybody that starts in cyber. Almost always start somewhere in the government. It's pretty, pretty rare to find people who are just really, truly wild type out there. They do happen. Well, they used to happen, and now it's probably going to change. You're not going to find them anymore, right? Because those, you know, AI is taking that space over really fast, right? Yeah. Why? How did you get into CMMC specifically? Like, you just woke up one day and said, I'm going to be an RPO? Yeah. So we, for real, right? Like I had a dream. I wanted to do this. I love it. Some kids want to be astronauts. Other people want to be RPOs. Right. Yeah. I hope there are people like that out there, but I was not one of them. I had left the government space for a long time, did the dot-com stuff twice, you know, went through the two blooms of dot-coms. And started the company back in 2000 doing, you know, commercial stuff. And then I decided to pivot back into the defense world. So I stepped in and CMMC 1.0 was just beginning, but it wasn't a hard mandate, wasn't law, but I knew that we had to do something, right? So I'm like, ah, whatever, you know, I know what to do. So I started looking at it and like, geez, this is, it's, uh, it's pretty involved and there's a lot of stuff. And at the time, some stuff didn't really make any sense. I'm like, that's kind of weird. You know, that's kind of weird too. But nonetheless, there were no tools, right? This was several years ago. Like, there are zero tools for this. So we made Go into State 100, go into state100.com, right? So I could just like, just a little spreadsheet interview, figure out like, what are the things that are good or bad, you know, and give some advice, right? Give me my score, go to PIE, put in my 110 and be done, right? That was the State 100. Then it's like, you know what? So once you're a 171, 53, which, which both 171. This one is under 171. Yeah, yeah. And the 53 is the assessment, right? So we didn't do the actual assessment. That doesn't come until CMMC 2, you know, right? So CMMC 1, that was pretty loosey-goosey, right? They're like, we'll just trust that you got the number and move on. You're not lying. High five on the back. They're like, yeah, shut up, my man. Very much, right? Very much so. Yeah. And then, you know, CMMC 2.0 comes along. I heard about that. So I'm like, hmm, interesting. So I read through that and I'm like, you know what? No one's going to read this. So as I'm reading it, I tore it apart and created Ask CyberSam, right? It was a little AI. All right. So I picked it up. Yeah. I made it so that you could put into this RAG system, right? So that it could actually query it and it could give you results that actually made sense. Right. It was great. It was a really good bot. Um, still is.. But then I learned everything about CMMC. That's the best way to learn anything, right? Is to break it apart, put it into a bot, you know, and you don't have to read everything and structure it properly and all that. And that's when I learned all the little nuances of the CMMC. And that's when I decided like, yeah, I might as well be an RPO because we're going to have to help people anyway. People are asking for help. So why not? Yeah. Tell me, tell me more about this business. So I feel like when I, uh, when I look into it, you've got this like insurance arm, you've got this custom software arm. And then this RPO arm, like, I'm guessing they're related. Like, what's the— what's the, like, the intersection of all these things? So professional services is what we do, right? So people come to us to help them, you know, make their dreams come true, right? And then from that, the majority of the work that we did was in the insurance space, you know, property and casualty insurance. Uh, we've done life insurance, and we've done bail bondsman insurance, and, uh, restaurant insurance, everything you can think of. We've done everything like that.. But in the insurance world, there's a lot of cyber, right? And so when I went into the insurance world in 2000, there was no cyber. Those guys, they didn't care if you had a password or not. They're like, this is just policy information. Nobody cares about that. What are you talking about? You know? So I started to force them down that road, right? Teaching them about cryptography and how encryption, and we can encrypt things, you know, and make things nice and how we can infiltrate and exfiltrate and, you know, and all these kinds of wonderful things. Right. And then that's when I got back into cyber a lot more, you know, and started helping people with that as well. So that's where the cyber angle comes in. So professional services leads to insurance, leads to cyber. And then they were back into defense. I'm like, you know what, now I know a little bit more about some of the nuance of the CMMC and like why the government wants you to do this. Because the commercial space has no idea about some of this stuff. Like, why do we care about this? It's a cost center. I don't want that. You know, everything was a cost center, right? Yeah. What I find interesting on that topic is just to see, like you said before, people will fill up the, you know, they will get their score, they will find the 110, be okay. And now they have to do it and have someone watch over, you know, through each check. And now it's like, people are all complaining, like, why am I supposed to do that? Well, you were supposed to do that. You were supposed to be doing it, yeah. You were supposed to do it. You said you did it. You said you did it. Yeah, yeah, it's crazy. Funny how everybody's seeing this, seeing CUMC as like the framework when actually it's just the enforcement arm of NIST, you know, 800-171, right? Um, and so, but everybody's seeing like, oh wow, like the government's making me do this for the first time. It's like, no, DFARS has been around since like 2016. You're supposed to be doing this for like the last 10 years. And everybody's like, uh, yeah, I've definitely been doing it the last 10 years. Yeah. Okay. They don't think so. Yeah, yeah, exactly. Exactly. Oh my gosh. So what are you seeing? Uh, where are some of your customers like getting stuck with in the CMSC space right now? Like, are they in like the middle of their, you know, they're bringing you on, they say, hey, like, obviously we've never done this before. Nobody's ever done this before. You know, there's, there's so few people who are actually certified. Where are they getting stuck? You know, the biggest thing that people get stuck on is the physical security stuff. Right. So access control, which is a physical side, there's a cyber component, right? And they all just think the CMMC and the NIST is about the electronic cyber side, right? Like, yeah, no, that's just part of it. You know, you've got to secure the whole thing, right? Your doors have to have access controls, doors to the inside, doors to the servers have to have access controls. And then you get to open up the whole cyber thing, right? And they get hung up on that. And I couldn't understand why I'm going to do that. That doesn't matter. You know, and you're like, yeah, no timeout, buddy. You got it. Let's read through this. You got to do this. Let's read and find out. See, physical security, you have to do that, you know? Yeah. Yeah. Yeah. This kind of reminds me of a current situation of someone that we're talking to right now where this company, they've got 3 offices, right? And they say, hey, you know what? Only one of the offices is typically the office that deals with like DOD clients, right? So we are just going to do the certification for that office, and we're just going to certify that office will be CMMC certified. What do you— is that possible? Not at all. No, no, the whole organization has to be CMMC certified. You know, they could have you could say that that place is a container that's going to contain SUI, right? That's all we care about is where's the SUI going to be, the CUI, where's that at? Let's start with there and then peel it back and find out how we control access. The whole organization has to be certified. How do you know someone will not take from one room in one building and go to the other one? Right, exactly, Bruno. Exactly right. And that actually happens. And then you're going to find out as you peel it away, you're like, oh, well, the mail server's over in this building. Right? And you've got the file servers over in this building and the backups are over here. And so like, and that's where all the CUI is. It's all spread everywhere. It's just messy. Yeah. It's not super easy to kind of containerize, right? Or say it can be isolated. Yeah. I feel like that's something that comes up a lot where people say, oh, you know what? It's only like Jim and Carrie who have, you know, who deal with the CUI. Those people are going to be CNMC certified. It's like, oh no, no, actually this is like a whole company thing. Like we don't just get to segment the company like that, right? Right. Yeah. This one little office in one computer, right? Like, okay. Yeah. No. Yeah. Okay. So, so what are some of the things that you have to do in for physical security? So like what, what, what are some of the recommendations that you're giving your clients for that? Oh yeah. So the first thing is to call ADT, get their number and call ADT. All right. Is ADT still around? Oh yeah. You bet, man. Those guys are great. Yeah, it works, you know, because the first thing you got to do is change all the exterior doors, make sure you've got the little like fob things in the automatic door so you can, you know, in and out control who's there. It's more important that you can monitor, right? So I can prove that someone came in, right? That's all I care about is when they come in, when they leave, that's great. But when they come in, I need to know that. Yeah. So badges, your classic, got a badge in, right? You're working at a huge corporate campus.. And now you're kind of bringing that corporate type IT environment down to maybe a 50-person company who's just like, well, I don't have to do that. Well, I've known the same 50 people for the last 10 years, right? Yeah. I know Bob and Sally. I don't have to have a badge for them. Yeah. Well, the government, Uncle Sam doesn't know Bob and Sally. So you've got your cards. Yeah. Yeah. Yeah. You bet. Yeah. So once you get past that, the next conversation is really about the interior, right? Because you have like a server room, people like, well, you've got the access control, you know, So why do we have to do the interior, right? Well, because even though Bob and Sally access that server room, you've got Joe and Tim who sometimes might go in there and they shouldn't be in there. So you need to know when they go in there, you know? So you got to do something. You got to have either a lock mechanism, you know, a dial lock or something. So, you know, and you have to have cameras. You always have to have cameras in your IT closet, right?, and that's always a problem, right? Because they're like, wait a minute, you're going to record things. You got to record audio. What are you talking? We don't want to do that. Our employees are uncomfortable with that. Yeah. Well, this is a chance that we have us as BeMo. All our customers are cloud only. So we don't deal with the, you know, they are 100% there. So we don't have to deal with that. So it's a big, that is nice, right? Yeah. Yeah. But, but, you know, a lot of these, a lot of these, uh, contractors are mostly like machine shops, right? Like, a lot of them are just like, uh, we've got 5 guys in the office, we got 20 guys working on machines in the warehouse, right? Yeah, right. Dude on a lathe, like, what is he gonna do? Well, Uncle Sam wants to put his eyes on you because we want to make sure that you're doing it right, you're not messing it up, right? Because you can compromise an aircraft, you know, this one day you decide to like just shake it a little bit on the lathe and now it's no It's not, you know, up to spec anymore, but they're going to get it on the aircraft. We want to see that, right? Because, you know, CMMC, again, it's not just about cyber, it's about the whole picture, right? Right, right. Um, kind of pivoting a little bit, what kind of, uh, custom software are you guys— like, are you mostly writing custom software for people in the defense industrial base, or— Not at all. No, no, no. So, uh, it was all, uh, property and casualty insurance. In the very beginning. We picked up clients in life sciences. So we did some LIMS, lab information management systems. We did some of those. We did some in-car stuff. So we actually worked on a high-profile, very expensive car to redo the HMI in there. That's the human-machine interface. It was fun because we actually did something for them that changed the whole industry. So yeah, so before these things were always written in like Java. Right. So you had a Java application and that's why your in-car thing was always kind of clunky, ugly, and, you know, not very, not, it wasn't very pretty, right? You could admit it wasn't, right? It's just because people like me were designing interfaces, you know, and I don't know how to make stuff pretty, you know, I buy pretty, I don't make pretty, but then we're like, and so these guys come to us and they're like, we're gonna make this Java app. I'm like, no, we're not. We're get rid of that. Right. We're gonna do this in JavaScript. Right. Cause this was a time when we could do stuff in JavaScript. So we had just create a custom Chromium thing with a. Our little boards and stuff. So we were making custom boards and stuff and it was really fun to do it. But the beautiful part is that now they could draw talent from the web design community. And that opened up the world to them because they had people who knew how to make things pretty. And HMI is transformed overnight. And we were able to deliver that in 6 months when in the past it used to take 5 years to get one of the things off the floor. Oh, wow. Yeah. That's awesome. Transformative. That was fun. In the CMMC Field Guide, you mentioned that building the evidence packet is a lot of work. Uh, I'm thinking that a lot of our clients kind of underappreciate this part, um, that, that the evidence piece is, all right, you build this giant library, I put a bunch of stuff in SharePoint so that like, uh, Inspector basically can come and do a one-time pass of everything, and then I'm good, and then I'm off. Maybe you can kind of talk a little bit more about like, what is it that these clients are maybe underappreciating about the sheer amount of evidence that you have to go collect on an ongoing basis? Yeah, and so the 53 is a very detailed step, right? Detailed, you know, group of steps that you have to follow, and every step has evidence, right? And so you're talking about like hundreds of steps that you have to go through, and sometimes it's more than one screenshot. More than one big file, right? There's just like, you're generating, you know, easily 1,000 pages of evidence, right? And you've got to go back and review that because it can't just be like point in time, right? I mean, you got to make sure that it's up to date because when the inspector comes, it's got to be valid at that point. They have to do it monthly. Right, exactly. So that, and that's the hardest part for them, right? Because there's a lot of eager Go-getters. I love eager go-getters. They get done really fast. Inspectionist, you know, what is that, 120 days later? You're like, well, the configuration's changed by that time, you know, and people have left the company, you know, and all this stuff. So like, well, we got to make sure we refresh that again. They're like, you know, in the spec, like, I'm going to come back in 90 days. Sorry. Bye. Yeah. So you got to keep it up to date, constantly refreshing it for every little thing. And that's the point of the CMMC, right? Is that once you get there, you got the cadence. Update stuff as it happens, you know, keep that cadence going. And, and are you finding that people are assigning like one headcount to just be that person who rounds that all up, or is that like segmented across a lot of different people within, within these companies? It kind of depends, right? Um, but it's usually the IT people, right? So it's the head of IT, you know, it's those people, um, and the head of the physical security side, right? And you have CL people, right? So you're, you're, if you're cleared, you have your FSO, right? And so you got to have someone there too who's like the head of everything, right? You know, and that person is kind of the one that that's your go-to for CMMC, and they're the ones that are going to organize all the, all the minions to get them. Is it, is it time-consuming? Yeah. Oh yeah. Oh yeah. Okay. Oh yeah. It's a, Yeah, you know, you could probably spend about, you know, 45 man days going through all that stuff, you know, 45 man days. I want to make sure that the audience hear that again. It's not, you know, he's, you know, yeah, screenshots. Yeah. Oh, they always think what it would take for me to get there. Yeah, they forget to say what did it take for me to remain there. Yeah, exactly. That's important. That's probably the most important step, right? Getting there is like one step. That's like, I got married. Yeah, that's the start. You know, that's not the end, man. That's the start. Yeah. I will still, I will remember. I will use this. Yeah. Good. Good. Yeah. I see you're in San Diego. Do you, have you ever heard of Adrada? I don't know the GRC platform. I think they're in your space. Yeah, they are in San Diego. They're in San Diego, right? Yeah. No, I've never heard of them. Oh, wow. Okay. Okay. Well, maybe that's something that you should look into. Every one of our customers that does compliance, we have them use Runner as a GRC platform. We don't do compliance without it. Yeah. It's kind of a nightmare without it, like all the evidence collection. Yeah. From my understanding, it's a little bit I guess Bruno, you were saying a little bit lackluster when it comes to CMMC specifically right now, but I'm sure that's something that they're probably working on. I hope, like it's, you know, we use them for ISO, for SOC 2, very good. I think on CMMC, there's other things I wish they were doing out of the box, but they, you know. Okay. Yeah, the only thing I ever looked at was ERAMBA, E-R-A-M-B-A, ERAMBA. I looked at them. That's an open source one. You can go and download it. That's the only reason why I was looking at it because it's free, right? So I'm like, this looks interesting. I'll check it out. Yeah. Yeah. Bruno, what are some of the things that you're hoping that would help with that it's not helping with right now? I would expect, I would expect because it's connected to all your systems, it's connected to all your policies, it should help you do your SSP, at least help you do an SSP. I could have a button. Create my drive of my SSP already. Okay, because they have everything, it's just like, well, you have everything, but I have to do my SSP from scratch, it's kind of, you know, this is one. And I think, yeah, better manage the evidence, but you know, there's, you know, from CMMC, there is a lot more, you know, a lot more they could do, but you know, I think the number one thing is the keep up to date and manage the SSP, you know, update and everything. Here. And like today, you go to Drada, you go to under the asset page, but they don't use wording, you know, CUIA, SPA. So for me, I will want to do the classification per asset, per CMMC, not per Drada, because per Drada it would be hardware. It's not how CMMC works. Exactly. Yep. That would be nice, right? So it's just, you know, little thing that for me, have anyone of Drada go through a CMMC themselves for one or two and they will, they will know what to go fix. So Jacob, are you working on like SSPs for your clients? Like what's the, what's the level of engagement in which I guess maybe you're doing things for the clients versus like advising them? Just like, hey, here's what you have to go do yourself. Well, we don't do the SSP for them, right? That's an exercise that they have to do on their own so that they understand what they're doing, right? That's super important that they do that because we're going to leave, right? And they got to maintain it. So yeah. And then that's usually with their FSO and their FSO, if they have an FSO, right? If they're not cleared, that's different. But if they have an FSO, then the FSO knows what that is and they would already have what they think of an SSP. And then, you know, we'll give them the correct guidance, you know, and how to maintain it, you know. And then there are lots of other components that they're always going to be missing, you know, like there's the whole training component and the trackability, you know, the traceability of training, you know, and the cadence and the calendar for that and where they get it, you know, they have to track that and they're not doing that. And well, you know, there's all this personnel stuff, right? So there's the physical security, there's the cybersecurity, and then there's the personnel. All the background check and, you know. Yeah, right. All these things. Yeah. Yeah. It's complicated, right? It is a wholesome ecosystem of things that we have to do. Always, it is interesting because, you know, so we as BMO, we are ISO, we are SOC, we are HIPAA. And I always think, you know, at least I see on my side certification, I don't see it as a burden, you know, I see it as someone from outside is going to come to my system and try to show me that I have holes. Hey, I want you to show it to me because I don't want to be the bad guy finding them, you know? So, yeah, you can come over, and if I can make my system more secure, I am all for it because it's good for my customer. So I am all, you know, I am all, you know, and so far from all the certification, this is how honestly I would expect they are all done. You would expect that they're all done like this. Yeah, it's not like SOC or ISO. It's pretty much the assessor trusts you. You say, this is how I do, this is how I do. Okay, check. Good, good. But versus CMMC is, okay, share your screen and show me. Right, exactly. Yeah. You're right. So I think it's a— Yep. Totally agree with you. You have to be very prepared and already be logged into everything. You have to already anticipate everything they're going to go ask you and know where to go click and everything. It's for me, someone is trying to break your system to try to show you up. I found a problem, you know, and you know, I prefer them, you know, I prefer to find, yes, would I, would I like to find a, they found a problem? No, but I prefer they find it than, you know. Yeah, you know, in the software world, people, companies, people always treat QA and testing as a cost center, you know, it's not, it's a quality center, right? And they always forget that that's a quality center and this CMMC certifications, NIST 800, this is a quality vector for a company, right? As a CISO of the company, I will sleep much better. I know, again, I cannot guarantee, you know, certification doesn't guarantee security, but you know, it's pretty dumb for any company that we know will be our CMMC Level 2. No problem, I will trust them, they can come to my network. Yeah, at least they're actually doing something, right? Yeah, they know that they're doing something. Exactly. So again, there's something to be said for, you know. Where do you see CMMC going past like November? Do you think that all the people who didn't start or perhaps aren't doing enough, like, do you think there's going to be bankruptcies? Like, do you think there's some people who are actually going to lose contracts because the primes are sort of changing the wording within their contracts? No, I don't think that's going to happen. I think there's going to be a lot of exceptions that are going to be passed down. There'll be congressional exceptions for a lot of the contractors, especially the primes. The flow-down clause is kind of like the biggest trap that many of the subs don't understand. But we are, we are seeing contracts come out that say you have to be self-certified for November of this year in order to get on this contract. And then the follow-on for the next year is you have to be certified, right? Okay. And so self-certified for Level 1 or Level 2? Level 2, sorry. Level 2. I think they have no choice. There's only what, 2,500 as of now out of 100,000? So, but I think the— I think if they can send again the warning, okay, okay, I will extend by a year, but now you cannot say you were not, you know, he's gonna get a warning. But now what happens, like, I've heard from a lot of contractors, a couple of them that say, hey, we're one of the only ones that can do this thing. If I lose my contract, then the government isn't going to be able to find another contractor who can do this. So they're going to have no choice but to keep using me. Like, do you really think that there's probably like, there's enough maybe diversity within the supply chain that you could actually switch from one contractor to another for things that are a little bit more niche? There are definitely, yeah, there are manufacturing contractors out there that definitely are not going to be certified on time and they're going to get an exception because they are critical infrastructure for sure. Um, that's going to happen, but they, they will. So what'll happen is they'll get, uh, prioritized with the C3PAOs, which there's not many of them out there, right? They'll get it prioritized and then the government will help them. Uncle Sam will help them find someone to get them on board. Right. And that, that will happen. And it'll be a fast-track thing for them. Okay. Interesting. Yeah. Okay. It doesn't mean that they should wait it out and hope that I'm right. Yeah. I want to be sure that I'm wrong. Right. Yeah, yeah, yeah, yeah. They shouldn't rely their entire livelihood on, on Jacob Anderson on a podcast. Right. Exactly. They should probably come to it to their own conclusion. I hope so. Right. I hope so. Yeah, maybe you'll be getting a LinkedIn message one of these days being like, wow, you know, thank God you were there. Yeah, real, real. Oh, that's funny. So right now, um, obviously all this is just for the defense industrial base, but do you see something like CMMC, um, ever sort of expanding to the rest of governments? Like, uh, just like state and local government, like your typical, like, city or police station, or like all the other stuff, like community service boards? Like, where do you think it— do you think it's just going to end here, or do you think it'll eventually get, like, expanded? Not at all. I think the federal government only. That's as far as it would go. Yeah, you know, like, from what I've seen, the state governments, the local municipalities, they they don't really have the appetite for this kind of bureaucracy, because there's a whole infrastructure that they have to have in place to monitor and to enforce it. And they have a hard enough time just with, you know, domestic law enforcement. So how long do you think it'll take? So I think, I think right now the estimates are something along the lines of like 100,000 organizations-ish that need to have this. Do you think it gets done in like the next 3 years, in the next like 7 years? Like Uh, how long did it take for the entire industrial base to, to kind of get it up to speed? I think in 3 years for sure. Yeah, 3 years. Yeah, 3 years. Oh wow, okay. I would bet the same. Yeah, yeah, yeah, yeah. The C3PAOs are going to start to ramp up, so this year they're starting to build them up. There's gonna— it takes time, right? You have to be an assessor, you gotta get certified, you got to be on an assessment. There's all the stuff you have to go through. Yeah. I also heard that Rev 3 is coming. No, really? Yes. So, oh my gosh. I had a talk with C-3PO and he told me that from his perspective, it's coming then at one point again. So, wow. Interesting. I haven't heard anything like on that yet. But if it's anything like, so from 1 to 2, that means that 3 will be a little more distilled and dilute. Than 2, right? So it'll be a lot easier to get certified. Yeah, we'll see about that. Yeah, right? Yeah. Wow. Okay. Well, maybe let's like, uh, let's wrap up. Uh, so, uh, you are a DoD contractor. You haven't started yet today. Um, what are the 1 or 2 things that you're— that you— that you would go advise them to go do whether it's like research or who to call first or that kind of stuff? Uh, if you're just starting as a government contractor today? No, a CMMC. Oh, oh, oh, a CMMC. Oh, okay. So if you want to be a CMMC contractor, you know, the first thing to learn is, you know, go and read the, the actual CMMC, right? Get that down, learn as much as you can about it, look at the, the, the new, the, uh, nuances of the CMMC, right? It's not just cyber again. It's a lot of other stuff. Um, and then, uh, learn one of these platforms, right? Like find, you know, some kind of GRC platform out there that makes sense for you. If you're going to be, you know, doing this on your own, chances are you're going to be an RP first, you know, get on with an RPO, get some practice in, you know, work on your CP, your CCP, right? And then, uh, try to help out with an assessment or something. You know, so you can eventually work up to be an assessor, and that's like 18 months down the road. Yeah, yeah, yeah. Cool, cool. Well, I really appreciate your time. Uh, I appreciate you joining us. Thanks for having me. Thank you. Yeah, absolutely. It's a lot of fun. That is another episode of Trust Issue. In this conversation, help you think differently about compliance, security, or trust. Share it to help someone who is still stuck in a checkbox mode. Each week we will keep bringing you more episodes, resources, and real-world insights from the BeMo team. Wherever you are listening from, don't forget to rate the podcast and follow us to stay up to date on the latest developments in the GRC space. Remember, compliance gets you certified, but real security, that earns trust. Thank you for listening.