Tech Titans

DFARS & NIST cybersecurity compliance for defense contractors and subs

November 19, 2019 Regan Edens, DTC Global
Tech Titans
DFARS & NIST cybersecurity compliance for defense contractors and subs
Show Notes Transcript

Regan Edens, a long-time administrator and consultant for DoD cybersecurity protection, talks through the strict compliance mandates that will be enforced starting Jan. 1, 2020, and ways for you to use the Agile method to analyze your cyber compliance health, and get your organization into the gym before the feds TELL you to get into shape!

Speaker 1:

Welcome to tech Titans insights. This is Amy Alexander. I'm your communications person and host of the podcast. And with me today, I have Reagan Edens who is going to be talking about, and actually I'm going to let him get into it, some of our responsibilities going forward with cyber security. Reagan, tell us a little bit about your background and why you're knowledgeable about this information. So I spent, um, the major portion of my career and the department of defense, um, in technology doing a rapid technology development, digital, uh, digital implementation of systems and systems of all sorts of different us design and, uh, technologies, um, all over the world through the department of defense. I've done that as a role as, um, defense contractor. I've done that role as a defense, um, senior intelligence civilian. And um, now over the last several years I focused on, instead of protecting that sort of information that we're talking about and uh, catching cyber adversaries that threatened our networks, um, which, uh, I've been doing since about 2005. Really the focus is on getting on the defense industry and then letting them understand what these requirements are cause they're pretty confusing. Sure. Um, how important that they are because we're talking about$600 billion a year. If VAT rates out of our GDP from the loss of technology and the transfer of wealth from the good guys to the bad guys. So it's very, very important. There's no doubt that says this needs to be done. There is a sense of urgency because that happens every year. That 600 billion is sort of, we lose that in numbers, but that's more than the entire defense budget itself. So we lose what we actually spend trying to develop these technologies to, to our adversaries. The reality is that it's needed. If by law it has to be done. And then now the question is, is how do we help those impacts those impacted by these requirements to understand what the core elements are and then meet the requirements so that they ag, we protect our country and B, we meet the requirements cause that's what the law says and see they really don't get themselves in trouble because the enforcement has begun to be very aggressive and next year things change significantly. We as a technology companies here in the Dallas Fort worth area are facing a new requirements. Sure. Okay. So there's no requirements are uh, fall underneath. Um, those companies that are prime contractors or their suppliers or their suppliers of their suppliers and subcontractors who are supporting a department defense contracts and handling something called controlled and classified information. How many companies that we know are going to be doing this? The number that's being is 300,000 companies. Those are prime contractors nationwide. Sure. Okay. Now when we translate that number into the number of subcontractors and suppliers that actually handle controlled and classified information, that number probably grows from one to 3 million companies nationwide. So these companies know who they are. Sometimes they do and sometimes they don't. You would be surprised where two years after the deadline, a deadline was December 31st of 2017 to have these controls implemented. But the problem is that, uh, the government hasn't done a very good job in identifying the information that needs to be controlled and also should be problem markets should be identified. So many contractors have had to sort of on their own volition because if that's the law, even if it's unmarked and it meets the definition, it still has to be treated as controlled and classified information. So contractors have begun to, uh, prime contractors in particular, uh, major projects, large and large amounts of, of, uh, funding at risk. So they've begun to implement these controls and the begin to identify this information over the last, probably probably the last year and a half, many subcontractors don't know because sometimes the information is not properly marked that they're actually handling this information or they think that the information is, is perhaps IHR control, which is part of the controlled and classified information, but they don't know it. Paul's underneath these DOD regulations. So how do they find out if their father, if they're dealing with this information? The criteria? All right. First of all, am I a defense department? Defense contractor, sir? Okay. So number one, am I a supplier or subcontractor to a department offense contract? And do those department defense contracts handle technical information? That's principally the concern. Okay, so technical information. Okay, great. What is that? Well, we're talking about blueprints, diagrams, software specifications, any engineering and design data, any of those things in either physical form or digital form falls almost surely underneath that definition. So do I handle technical information? Do I handle, I talk controlled information cause that also falls underneath the definition. And then the next question is, is are the programs that I'm working on specific to military and space applications? So aerospace space space, and then also, uh, military applications in defense systems, very, very likely. If you hit those sort of attributes in your business model, it may not be 100%, it may just be a portion of your business. Sure. Then you very likely are caught underneath these requirements. The reality is that the, the terms and conditions that the prime contractor assigned up to and their direct contract with the garment and the terms or conditions for which you support a prod contractor required or any of those terms of conditions then to meet these requirements. A couple of things. That one right now you are local in North Texas, I am and you all the time help companies get ready to make sure their information is protected. Correct. So my, my background, uh, doing these very large systems, I probably three and a half billion dollars in technology implementation over the course of my career. Major systems, very, very complex from very large enterprises and very complex environments all the way down to literally a month ago walking through a machine shop and Fort worth, right? And that does about two or$3 million a year that is in the[inaudible] a luck, lucky Martin supply chain ecosystem there and they don't know what to do. You have to be able to really understand how very complex, large prime contractor environments work, and then really scale these requirements down and then be able to articulate them so that you know, a CNC contractor that are very hardworking people with a part time, it person can really understand what it is that they need to do in order to, in order to protect this information for our country. And then obviously keep them on the straight and narrow for the compliance requirements. You had talked pretty passionately about, no, no, no, get compliant. Now tell me what is the impetus, um, and nit possibly the consequences if someone doesn't get ready now that's rapidly evolve. This last year the process was rolled out under the guise of self-certification that works well. If it's clear when I need to do, it's clear how I need to do that. And then of course, as a, as a medium and small sized business and even if the large contractors were, where does the money come from? Ultimately? So the last two years, there have been lots of obstacles that, that, um, defense contractors and their suppliers have faced. And trying to figure this out. And the self-certification model really is broken and it's not working. The, the ugly part of this is the fact that we may be looking at 20% or less of the, the entire defense industrial base is actually complied. We need to do it. It's very clear. Um, even business owners understand they just don't, they're really vexed on really how to do it. Many it guys don't speak NIST. They don't understand the controls and the controls. To be honest, mr has done a pretty good job and under and boiling this down to 110 controls, which seems like a lot, but we're really talking about very difficult to defend an it network against adversaries and sort of button that up. Uh, those, but those controls don't really articulate very well to a normal business. And so that you and I, without a strong background in this really understand, uh, what these controls really mean. Self-certification department offense has realized this, this model is broken. It's not working very well. The prime contractors are struggling with their suppliers because how do we begin to enforce, because we're required by law to enforce these requirements in check on our suppliers. But how do we do that? How do we meet our due diligence and do due care requirements, but yet get our suppliers, um, overcome these obstacles with facing this department? Defense has allowed some wiggle room. So the companies began to work on the process of implementing these requirements. The challenge though is this, is that the tyranny of the urgent, like I run a business, um, I T guys very, very busy. My business stakeholders that handled this sort of information is this controlled and classified information. They're very, very busy and it really gets pushed to the wayside. So the department offense recognizes this is a tough problem. They recognize that it's not at that the self-certification is failing and now they're getting ready to roll out as something called CMMC, which is the cyber security maturity model certification. So it's long, long name. But what they're really boils down to is that they're breaking the requirements down. They're expanding the requirements across all contractors. So it doesn't matter whether you handle this QE information or not. The second core information that needs protection, they are expanding the requirements, uh, to, um, enhancing the requirements. They are requiring a third party to certify that's happening next year. However, over the last year, there's something called the false claims act. So when the self-certification model, the way that it work is I'm a prime contractor and he's my subcontractor. I send you notices this, Hey look, you got to get, get these things done. Are you ready yet? And then you said, Hey, Bob, I T guy Bob, or are we good? Do you, you got, yeah, we're good. We're good boss. And he was, the CEO said, yep, Roger, wherever we're good and check that box and then send that back to me. I'm okay. Oh, well, you know, you met the standard, Bob says that you met the standard. Do you think you met the standard, but did you really meet the standard? Are we really, really sure that's where the false claims get act comes in. So in California, uh, a suit was brought by a whistleblower and unfortunately the false claims act incentivizes whistleblowers within your organization. They get a portion of the penalties, department of justice, their process on date, they execute the lawsuit underneath the suit, new cyber security requirements. And underneath these requirements, the federal court upheld the penalties associated with the false claims act. What that means is basically organizations either knowingly, willfully, right, or perhaps even unwittingly, but if you testify the fact that you met these requirements and self-certified now you've, you've opened yourself to these false claim act suits I brought by DOJ, that is a major concern. And if implementation next year, imagine a couple of different scenarios this year playing these roles, me as a prime contractor, I'm responsible to do an annual risk and security assessment. So that's my requirement every year. Should I say, okay, I'm going to do it by yourself or by the defense? No, now that, that's by us, that's by us. So we underwear underneath the old requirements or the current requirements and I'm certified. So I have to conduct a risk and security assessment. And during that risk and security assessment, I need to check on my supply chain. So I reach out to you and then I say, Hey, look, um, any, uh, so contractor, are you compliant? And then you say, yes, we are. And then I say, you know, I'm going to check on you. I'm going to drop in and we're going to do a spot audit on your organization. And I find out that you are not compliant or you do a little bit more due diligence. You're like, man, I need to check on my organization to really make sure you've heard some things, you, you, you realize that they're sort of ramping up this aggressive action. Now you check inside your organization and you realize, Oh, we thought we were compliant and now we, and we're probably not compliant. Now you're in, now you're in this quandary. You've told me that you're compliant. We've been working underneath the last few years that I thought you were compliant. I've checked on you. Now what do you do if you say to me as a subcontractor, the prime copter, look, we're not compliant. We're working on it. We're working through the process now. I add you to my plan of action milestones so that I can keep checking on you to make sure that you're doing what you need to do in order to become compliant. And then now you're diligently because you want to be underneath. Um, uh, the sense of urgency that you asked for is that you want to be underneath the current requirements and get these things done. The reason for that is because after January, the new requirements began to roll out and it's not clear when things are going to change. It may change. All of the Bryant requirements may change when we do the contract review next year or you know, uh, rebid it. But probably what's going to happen is that some of the requirements, like the plan of action milestones will go away. So this thing that we've been working on won't, won't be effective. You won't count anymore. And then all of a sudden, the thing that we've been sort of planning on getting well goes away and now it's either yes, no decision, I'm either compliant or I'm not compliant. Or the department offense shows up and they want to do an audit and they checked me as the prime contractor and they now they want to check some on some of my suppliers. Now things get very, very tricky or nothing happens and then a third party certifier gets trained, get certified, comes out, does the certification because now for any new business we have to be certified. And then when that contract renewal, now what happens when that certifier realizes that that those, that either that prime contract or those suppliers have not really been certified this entire time? The answer is probably false claims act, right? Because you've been self-certified and underneath this whole, this whole period now whether it's willful or whether it's, you know, incidental, the reality is is that you have been self-certified underneath this model and probably to some degree the false claims act applies. Now what we want to do is we want to get the way to mitigate risk for leaders to ask the hard questions and, and to, to think about, okay, where is our controlled and classified information? Have I seen a document out on the manufacturing floor? That's marked anything but I tar cause I, there are, I, there is no proper marketing anymore because the marketing has changed, right? So if I haven't, if I walked you out, I'm up, I walk the manufacturing floor and I've seen a, um, a print or, or a technical document and there's been no markings on it, then that's a first thing as a senior leader inside my organization, no matter what I do, whether, whether I'm sales, whether I'm the CEO, whether I'm the operations, the col, right? Or I'm, whether I'm, I am a program manager, right? Or whether I'm an operations or manufacturing supervisor. Right? So now if I haven't noticed that their probably that they're, that our controls have changed around the documents. If I have noticed that there are documents that are, that are marketed, different markings that have Kuwait, if I haven't noticed that new policies are rolled out by it, that are very, very detailed, not a policy that the it guy wrote at lunch that's got Chili's spilled on it, right. Which happens all the time because you think guys are very, very busy. But those are very, very detailed policies that sort of bring everything together. If we hadn't talked about in one of our management meetings, how are we going to manage our sensitive data? And if I haven't seen a sensitive data governance plan, and quite frankly if I, even if I haven't seen probably some additional expenditures for technology, some additional expenditures for probably for consulting because that'd because a very likely you're going to need help if I haven't seen these things. And then rest assured we're probably not on the path to compliance. Asking leaders, asking the hard questions is, is number one. The second thing is really focusing on drilling down into where do we stand from a governance perspective, asking someone, I want to see the list of policies and procedures that are associated with controlled and classified information. And if there's not a single policy and procedure sitting on your desktop that doesn't mention controlled unclassified information. If the ATAR compliance person use you and I taught manual and I turn angel doesn't say controlled unclassified information, there's a problem. Um, a third thing that you can do is drill down is say our fiscal security requirements. Have we changed things at all? Have we added cameras? Have we added, uh, ways to control visitors? Um, if I don't, do I target? If I don't do export controlled information, how am I controlling access to visitors at all? Right? Um, do I, am I properly identifying in my properly identifying my, um, uh, my employees, right? Um, am I adding a fiscal security over, um, oversight to my entrances? Um, my, uh, high risk areas do. I see, um, you know, I hate to, I hate to say this, but I walked into one of my clients a couple of years ago and we've walked out the back gate and I said, Hey, what are, what are all those boxes of documents there? He said, Oh yeah, those are our, um, those are our technical drawings. We ran out of the room and the, um, we ran out of room and the in the warehouse. So we're, we just, we've got them stack out here, you know, if you ask the hard question, okay, right. Those are our control. Technical documents or are they controlled unclassified information? Well, I'm not sure. Well, if they're either controlled the documents that could be up to a million dollars per document and a fine, if those are controlled and classified information and technical documents, then you're seriously violating, um, right. So, um, it, it, there's no intent. There's no ill will there, but the, the reality is is it was your practical measure. Right. And they didn't really understand what the requirements are. And to be honest with you, they told me, yeah, I think we're good. Well, we like you to do is do a walk through of our organization and just talk to my people and talk to my senior leaders and say, Hey Reagan, um, um, ask the hard questions and then see where we're really at and then tell me as a CEO or, or I think I was, um, this was an initial report was to the COO. Where are we as an organization and where do you, where do you think we need to go?

Speaker 2:

No. All the examples that you've given have been with physical documents yet everybody will tell you that electronic is really the scary part. And have you control that? So how do we address that side of the coin,

Speaker 1:

you know, um, in, in a manufacturing environment, um, you know, just as an example, I T and technology environment, I'm making a widget, I'm designing a widget, the digital and then, and then, uh, very often engineers when they're, when they're moving, when they're doing stuff on the, on the floor, it ends up into being a traveler or some sort of, um, some sort of document. One of my clients worked on several years ago. They spent 18 months before they call me and not getting compliant. Sure. So think about that. So all of the time, all of the energy, all of the spin of what we're going to do as an organization not to get compliant. And then finally they realized, okay, we're not going to get this done. They were pressed against the deadline last year or two years ago when we w when we walked through that environment. Exactly. You hit on the perfect example of where major problems are for many organizations. So this stuff of this organization had their uh, their data commingled because they did park commercial work and then part defense work, right? You can't co-mingle the data because there are engineers who need to access the commercial side and there are engineers that need to access the, the defense side so you can't commingle the data. So that was a huge problem. So do we segment the network? Oh my gosh. You know, they have different subsidiaries that contribute to these projects all in the same company, different sites, right. And then we look at, okay, well where's, where is the data? Well, the data was distributed properly on every single device that you could think of inside of a company, tablets, desktops, engineering systems. They had 20,000 documents that they could account for and their product life management system, they had 19 different islands of data in different disparate engineering systems all over the company. They had a technical drawings and technical details distributed across the entire organization. So we had a come to Jesus moment about, okay, organizational discipline number one. So it why it's fundamentally a change the way many organizations do business. Number two, we need to, we need to find specific locations day to consolidate this data that has to be secure to meet these requirements. And that has to be access controlled. Those organizations that have foreign persons working inside their organizations, no problem, but they can't access this data at all. Zero. And so, so how do we segment the network? How do we cut? How do we take all of this data that we're currently using? Remove it out of these despair controls, get it into environment, make sure that the data meets the requirements, make sure it's encrypted at rest, all of these different technical things. And then how do we control access within our organization so that sales has access to the documents of the need they need to access operations. My engineering teams have access to the documents, the manufacturer, um, manufacturing teams on the floor. And then that way that access is controlled. But because it goes, those requirements are very explicit. Just because I worked for the company doesn't mean that I should or do have access to to that sort of information. I need to be trained, I need to be understand what my responsibilities are. I need to understand the responsibilities of sharing that data. Because the reality is this, the law is very clear that if I'm emailing a document between my organization and I have to have a reason what to dictation, that you're compliant. I have a recent watch for dictation that you personally, the person that I'm sending it to, understands the requirements for the document that you are compliant and that you will manage and safeguard that data. Now, if I know that you are not compliant but you understand the responsibilities of that data, I can't share that data with you legally. Right? It's a very big deal. So I have to be qualified, I have to be trained and then I, then I have to be, someone has to make sure that that's enforced and there have to be policies and procedures governing what I can and cannot do. And I have to understand what those policies and procedures are. Right? And so these are the challenges that organizations are facing, but then they're facing them underneath a very compressed timeline. Now we can't get everything done in the next 60 days. That's for sure. If people call me up to Greg and look, we need help. I need you here tomorrow to walk through my organization and really give me a no kidding assessment about where we're at. We can't get it all done in the next 60 days. However, though, the way I organized, the way that I help organizations and the way that I recommend organizations help themselves is really using an agile approach. So being innovative and being adaptive, getting to understand these requirements, taking a hard look at what the, what the controls really are, and then walking through who's going to have responsibility and then not putting your it guy in charge of this. And the reason for this is the it guys have their hands full with their own controls, the cybersecurity controls. But what really needs to happen is the fact that the it guy's going to say to the business core business stakeholders, Hey guys, I'll protect the data, but I don't even know what the data is that what you said. So it's your core business stakeholders that are the data owners really. So it's[inaudible], they're using it day to day, they're using it in sales for a business development in RFPs. They're using it in operations, they're using it in the design piece they're using in the shipping piece and the and the nondestructive testing. The things that we do before we ship, we've seen that our products, so they're using the data all day long. So what you need is you need a, an executive who will lead, has the authority to wrangle all of these different cats and dogs and really get them organized and then start looking at the data because the requirements follow the data wherever the data goes, whether it's in my organization, across my organization, from my organization to your organization name, from your organization to all of the contractors that you use, wherever that data goes, the requirements follow up. We gotta get busy. We have to, we have to understand where we are. We have to do that risk and security assessment this year. Okay. That's the first most important thing. Identify the gaps and and voids and then capture that all document, all of those things and then now work on our plan of action and milestones which is what is the Getwell plan I w and then look, we've got to identify those resources. If you're on a fiscal year from October like some defense contractors are or you're on a fiscal year, a calendar, you don't have very much time to identify the resources, identify the technologies because a lots of vendors are standing in line, well when to sell you things that will not get you compliant. They could get you compliant but they likely won't on their own. There's no magic silver bullet. Buy this box and how uncompliant that doesn't happen. You need to understand what technology investments that are going to meet the requirements now and then scale into the requirements into the future because we are only beginning, we are only beginning. The requirements for next year could be even more stringent. They're going to impact every single defense contractor period. Whether you, whether you make bolts or whether you do stealth aircraft, uh, whether you make, um, toothbrushes, right? That the, that the government buys or whether you do, you know, state of the art laser technologies, right? It will impact every single, every single contractor next year. If you're going to make a technology investment, you need to know what you're going to spend your money on and you need to be thrifty and very wise about what you're spending your money on. It needs to be sustainable technology because just because I buy a widget doesn't mean my T guys will use it or have used it. I can't tell you how many times I've walked into an organization, principally the midsize and smaller organizations, done the risk and security assessment and then asked a very hardworking, a network admin. So let's talk about your firewall and let's talk about security monitoring. Okay, good. All right, so how are you doing that? Well, yeah, I mean we've got a firewall. Okay, good. Are you monitoring it? Well, you don't want to do it when I can, but you know, I've helped this to get to, I've got this and that I've got to do, okay, well what do you, can you log into your firewall? Sure. Okay. So locked into as firewall is your firewall turned on? And then there's that silent. Oh, and then he says, well, we had turned on, but there were so many alarms and so many alerts and uh, you know, it was blocking access to this application, that application. And to be honest with you, I had to turn it off, um, because I just, you know, I had so many things going on. Yeah. Okay, well, listen, you got to turn the firewall back on because it won't, because our organization, everyone thinks that the organization is protected and it's not. Right. And then we have to help you, help you either devise a system or get you the help, the resource, um, you know, that's, or maybe some outside help, maybe from one of my guys, right. That can help you understand how to reconcile these, these, these alerts and these alarms and so that you can de-conflict them and you can keep your firewall on. Because if the boss or whoever who's complaining that they couldn't get access to this or that, that's a permission issue. So, so we can help you, you know, we can help you get through the fire here, but you got to keep it turned on, man. Yeah. I can't tell you how many times I've had these candid conversations and it's embarrassing, right? And they don't want people to know.

Speaker 2:

So you're basically saying even a lot of executives will say, yes, we're compliant. But once you dig down into some of their people, but they don't know what gillion what they don't know is going to get them in really, really hot water over over this year. Next year

Speaker 1:

they started ramping up. The Navy has basically said, if you aren't compliant in 30 days, we have the right to terminate your contract. And we have given NCS the authority to do the investigation. No one wants the NCI S inside the organization doing an investigation on whether or not I willfully or or, uh, through my own negligence and not compliant. That's crazy. What we want to do is run our businesses. We want to provide for our families. We, we don't want to make a false choice between, well, I've got to get compliant or I need six people. That's a false choice. That's not true. What we need to do is make a, have a better strategy on how we get compliant and then high up how we hire those six people that we need to do. So the reality is, is that we want to run our businesses. We want to secure this data because it matters to our country. It matters to our children, it matters to our grandchildren. We have to do it and we have to start right now.

Speaker 2:

Now, you had talked a little bit about like, but let's say the first step really are these companies, they just need to evaluate where they are and put someone in charge and really kind of get, look under some rocks and figure out, okay, what do we have? And once they get scared, what do they do?

Speaker 1:

Okay. What once I get scared, what do they do? They have to, they have to make an honest assessment here. Okay. This is the hard part. The hard part is, is that I have great people. Every organization that I've touched has had really hardworking people, but they may simply not know. Of course we provide third party support to these companies, right? But the reality is is that there's not very good information on the internet about how to get this done. I recommend, you know, it doesn't matter me, um, some other, some other company, but contact someone to help get you started, at least help you organize, help you develop a strategy and a roadmap and, and help you really understand where you're at right now. That doesn't take very long and it's not very expensive to do that if the person is saying to you what you need to buy, you know, this laundry list of technologies, because there are lots of companies out there that, that they're technology companies. We of course, you know, have turnkey solutions, but our turnkey solutions are practical. If you go to your technology provider, he'll tell you that there's a widget that can do this. The reality is, is that it's organizational behavior and it's the constraints of your people. They are your best asset and your greatest liability. Sure. You really need to focus on your people first and your technology second. So organize your people, do the, ask the hard questions, get some outside help if you need it. If you really do think, look, my it guy is not going to get not gonna make it and um, or I've got a big project and people were just overwhelmed, which is, which happens, you know, Jack of all trades, right? I've got seven hats and I can only wear one right now and give an honest assessment of how much help I'm going to need. How much can you get an honest assessment of how much gonna and that rapport, that trust experiences, everything. If your it provider or you do manage security services outside your organization, they w they may say that they understand these requirements, but there are very few companies out there that really do that. That's a hard discernment question, right? Because I've got my tea company that I go to and I, you know, I'll say, Hey, Hey Chuck, I need you to study up on these requirements and to come back to me and tell me what we need to do there. There not a lot of companies out there that speak NIST, so I've actually helped it. Companies that help their clients get compliant to help them organize and help them understand what these requirements mean and help the it companies actually support their clients. So that sounds sort of weird because you would think, well look, they're just, you know, let me, let me talk to your customer. But I, but for me it's not really a matter of finding customers. For me it's managing bandwidth. It because they're just, there's so many of us inside of my company. So for me it's a really a, what I call a combat multiplier. My goal is to get the defense industry compliant. Yes, of course I want my company be successful, but at the end of the day I want to turn, um, and I want you to train it, educate force multipliers so that these companies can do these things on their own. I don't, I don't want to be heroin. I don't want, I don't want, uh, you know, defense industry full of addicts that are now, uh, reliant on consultants to get them through the day. We really have to focus on educating and training rapidly educating trap and working side by side with, with it companies who can provide value added services to their clients and they're working side by side with the companies themselves so that their it guys and their operations managers can really begin in data management managers, right. Can really begin to tackle this problem. And you can do it in a sustainable way because at the end of the day, if whatever system that you build is not sustainable, you will fail because compliance is a difficult thing. You need to think about it in the long road, not in the short road. And so yes, we write the write the policies. Yes, my acceptable, um, my access control policy turned into from four pages to 25 pages. That's 25 pages. Yes, they meet their crutch, but they have to be sustainable, right? So the, the goal is yes, to be compliant, but to align that with how you really do business change, how you really do business to make sure it's compliant because they don't have to be, they don't have to be juxtaposed. In fact, the reality is for most organizations, we've been able to identify actual operation efficiencies to make things run better. Not to say, unfortunately most compliance people are the office of, no, no, you can't do this. No, you can't do that. And we really, I'm an operations person. So I spent my, as I mentioned before, I spent my entire career deploying technologies, rapidly. Environments that no is not the answer, yes is the answer. So what we do is we find the obstacle and then we overcome that obstacle in order to get to the yes. So compliance needs to be the office of yes and up, uh, the office of efficiency and the op and the office, operational alignment, not, no, not restrictions. Now you can't do this, you can't do that. You have to do this and you have to do that. They need to understand the business model. Sure. So this really is a longterm effort. It helps to have someone in charge of it or owning it. Yes. For the long term. And almost like getting healthy. I'm thinking of all the things I'm going to be doing in January to get myself healthy. But that's part of a healthy organization. And this needs to be your person. You're a personal trainer in your organization that makes everything ship shape. Yeah, that's exactly right. So, you know, that's a, that's a perfect analogy. And here's the reason why as you are, and you know, if I'm an average person or if I am an anti Trump company, cannot really afford a personal trainer for the next 25 years of my life. No. Right? I need that personal trainer to really get me on the path to help me understand what I need to do. Um, overcome my nose because I'm like, Oh God, I don't know how to do that. Alright, no, we're not going to do that. No, no, no. You got to do that because this is how we go, right? Yeah. I'm overcome my nose, overcome my objections, helped me see things I don't see and help me build a plan that says, you know what? You've been super helpful. But now I think I can do it on my own. The, the challenge ultimately really, really boils down to the long road. Really. I say to my clients and I've said to the government and giving them feedback that this is compliance driven, digital transformation for normal companies. Sure. Most companies, they're there firefighting every single day, right? They're trying to get their products out there. Trying to overcome the, the normal stuff that they have to do. And the reality is, is that this, this, this really is transformative in a lot of ways that the VA that they do business, and that's hard. I would say to them, the way I've built my career is people coming to me saying, this needs to get done. This has to get done. It's dang near impossible, or it's really, really, really hard. We're going to need you to, I need you to get this done. And then we figure out a way to get it done. Sure. Yeah. I like hard things. I mean, that's, you know, it's part of in my DNA. Right? Sure. So, and this is a really, really hard problem. Sure. I think that what, when you're talking about leadership, I've always been chosen to overcome these hard problems, to develop what I call the coalition of the willing sure. To align people, get people set and give them the guidance and let them go do their greatness and then hold them accountable and to check and make sure that we're checking and making progress. That's the sort of leader that you need in charge. So if you have that pink pinch hitter or um, relief pitcher, sure. This is my GoTo person, Nancy, she is my GoTo person that will get this done. So Nancy doesn't understand this at all. Okay, great. Well have Nancy link up with a person like me, educate them and then and then empower them, um, and T to do, go and do greatness. That's really a model that will really work for most companies. Okay. So if a company does want to get a trainer and they love you, so how do they get ahold of you? Okay, so we are@dtcglobal.us. Okay. not.com. Dot us and we are, we're having a difficult time keeping up. So for me, contact me or people like me and let's walk through your organization and let's just do an assessment just just to walk through and to talk through with your key stakeholders. Get your it folks in the room and let's just do a couple of hour talk about what the, what the requirements are, what they tried, where they fail, and see if I can't just give them some direction. If you need some additional help, then we can really focus in on, okay, how are we going to work that in the schedule and then on the remaining ends of the eater. But if I can't help you, if you need too much help or if I can't help you, then, uh, I've developed sort of a coalition of the willing of my own inside of this industry because there are very few people that really know what they're doing and I will put them in contact with some trusted companies in their area or that are, you know, here in Dallas Fort worth or wherever that they're located. And then, um, and to be able to, to support and help them. Um, so we under the gun, we only have 60 days left. I think that the very first step is don't commit to any organization, uh, because organizations that have lots of time on their hands to sell you lots of stuff probably are not the organizations that you need right now. What you need is an organization that's going to help you triage what you need and triage what your priorities are and help you focus on your party server the next 60 days. And then, and then if I can help you, if I've got the, uh, my company's got that bandwidth to help you, we will help you. And if not, we will find me somebody that we trust, that, that can help you to get with those what you need done in those particular areas. I think this is a good place for having folks start and hopefully we'll have some very compliant people listening to our podcast at the end of this whole process. I tell people, don't be overwhelmed. Don't be overwhelmed. It can be overwhelming. Sure. Baby steps up the mountain like that. January 1st or January 2nd, that first day that has stepped in the gym. You know, like we all do. Don't be overwhelmed. The gym is full and the gym is pretty going to be pretty full over the next 60 days trying to get ready, but don't be overwhelmed one step at a time. Baby steps up. We have to unrelenting baby steps. Well, we have to be ready. We have to do what we can do right now, and we have to get things what we can get in place, and then we have to be prepared because next year is going to be a very, very tough year for many, many companies.