WEBVTT 00:00:00.000 --> 00:00:00.000 Thank you, Dr. Jorga. I am the entire NIST team. Thanks to many of you here in this community that are championing a scale and moving forward. 00:00:00.000 --> 00:00:00.000 I see a lot of familiar names and some of you I haven't caught up with a long time and I've apologize. 00:00:00.000 --> 00:00:00.000 But, love what you, everybody is building. We're all. 00:00:00.000 --> 00:00:00.000 You know, we're all in this together and I think all of us believe that Oscar is one of the most important innovations and the DRC space that we've seen in a really, really long time. 00:00:00.000 --> 00:00:00.000 And so I'm delighted to be here and thanks to everybody for for joining. Like Michaela said, I'm Kenny Scott. 00:00:00.000 --> 00:00:00.000 I'm the co-founder and CEO of Pam Phi. We're an integrated risk solution software company. 00:00:00.000 --> 00:00:00.000 And in today's session, I'm excited to guide you through our journey of enhancing security compliance posture with the And specifically, we're going to explore how we can apply this to CMMC among other requirements. 00:00:00.000 --> 00:00:00.000 And, I don't know about you guys. As it turns out, in my experience everybody hates manual documentation and if I don't know You guys on the call have had to do this, but, I've had to manage, multiple 1,000 plus page SSP documents. 00:00:00.000 --> 00:00:00.000 And have done it manually and no one ever asked me, Hey, Kenny, Hey dude, how do I get your job, man? 00:00:00.000 --> 00:00:00.000 And it is really strained budgets and I think it continues to stream budgets. And so I think a lot of us are are trying to fight that so when we look at the combination of like templates and checklists and let's be honest Bob probably like our fair share of Yeah, and all legal drugs, right? 00:00:00.000 --> 00:00:00.000 And it's in an effort to manage our time spent on compliance documentation. We're trying to reduce it. 00:00:00.000 --> 00:00:00.000 And, sometimes we're trying to build out all sorts of automation tools and the number of variables can just be overwhelming. 00:00:00.000 --> 00:00:00.000 Right and it's not really it's not really our fault. It's just the complexity of things and so what we're trying to do at is a to take what was maybe 60 to 80% of budgets. 00:00:00.000 --> 00:00:00.000 And maybe reduce that to a fraction of that. Maybe 6 or 8%. Is that possible to do? 00:00:00.000 --> 00:00:00.000 And so we believe that it is possible and it is really honestly thanks to and so I We're just really big fans and, we're gonna be championing it from yawn out and, hopefully working with a lot of you. 00:00:00.000 --> 00:00:00.000 As we move it forward. Moving forward, excuse me. Just had a, a bunch of, sparkling water. 00:00:00.000 --> 00:00:00.000 Okay. So those are tasked with, you know, setting compliance standards. They're not often in the trenches with us. 00:00:00.000 --> 00:00:00.000 They don't feel the impact necessarily of the requirements. And it's not that they're. 00:00:00.000 --> 00:00:00.000 They're not, it's not ill intentions. It's just that they operated a distance from those who actually have to do the things. 00:00:00.000 --> 00:00:00.000 Right, so while you know, while setting compliance regimes is commendable, they falls short in providing a regimes is commendable they fall short in providing a straightforward path to for people to excel in cyber security compliance. 00:00:00.000 --> 00:00:00.000 It's just the existing tools and templates just aren't enough. So I, it reminds me when, when I am was doing this, right? 00:00:00.000 --> 00:00:00.000 So, I'm here in Lehigh, Utah today about 7 years ago I was probably sometime around now because we would always prepare for you know, the big audit push for especially in the federal space around springtime. 00:00:00.000 --> 00:00:00.000 Because we had our audits in the summer, I remember. And you know, I'm just like late at night. 00:00:00.000 --> 00:00:00.000 You know, just working through these different Excel documents and word documents and. Various attachments and trying to manage that is just like I think of the late Charlie Munger his favorite quote right it's like bringing a 1 legged man and a nice picking contest it's just like so tough to win. 00:00:00.000 --> 00:00:00.000 And so over the last 2 decades, I've had an amazing chance to work with many companies big and small with their security programs and to help them achieve compliance with various compliance regimes. 00:00:00.000 --> 00:00:00.000 I had the fantastic opportunity part of one of the pioneers of the Adobe Common Controls framework. 00:00:00.000 --> 00:00:00.000 And so it's. Just come back with me in time for a little bit. It's Adobe. 00:00:00.000 --> 00:00:00.000 It's 2012. We're transitioning our business from shipping DVDs to hosting subscription services in the cloud. 00:00:00.000 --> 00:00:00.000 So security is not a nice to have at that point. And must have and so we're tasked with I got passed with simplifying the compliance process for multiple frameworks. 00:00:00.000 --> 00:00:00.000 Yeah, like in one place, right? So. Talk to PCI ISO, 27,001 HIPAA and then finally eventually. 00:00:00.000 --> 00:00:00.000 And it was absolutely collateral. And, it was for all the cloud solutions that Adobe across, you know, digital media and digital marketing. 00:00:00.000 --> 00:00:00.000 And, also within the managed services. And so as we worked with teams across W, we drew up precise statements on how security controls should be implemented and that's what became the Adobe Common Controls framework. 00:00:00.000 --> 00:00:00.000 Not sure if any of you are familiar with that. But we did, we, open source that and that is still what they're doing. 00:00:00.000 --> 00:00:00.000 We work with them today and it's, still really useful. But my realization was like or the problem that I thought was when I would go talk to it, but my realization was like, or the problem that I thought was when I would go talk to it, talk about it at conferences like or the problem that I thought was when I would go talk to it talk about it at conferences people will come up to 00:00:00.000 --> 00:00:00.000 me afterwards and say hey you know love what you're doing with CCF Kenny seems like a cool idea you know but I can't really use that And at first, you know, because I'm not, I wasn't really entrepreneurial minded at the time I took a fence. I I took a fence. 00:00:00.000 --> 00:00:00.000 Oh my god, because I can't believe how do you not get it? Oh my god, because I can't believe how do you not get it at the time I took a fence and oh my god because I can't believe how do you not get it right so I took a fence at first and and they would spend cycles trying to understand exactly what was required looking at a statement. 00:00:00.000 --> 00:00:00.000 You know, something about, you know, an authorization before you're pushing a change through. And so to them, it seemed like our focus was on inflexible requirements, but that's, not what it was. 00:00:00.000 --> 00:00:00.000 In practice, we were always focused on how to implement. You know, top-tier security capabilities. 00:00:00.000 --> 00:00:00.000 You know, guided by our Saudi partners in, you know, within the organization, whether they were in SECUPs or in DevOps. 00:00:00.000 --> 00:00:00.000 And what we did is on the back end, we would map the CCS, keep those statements to actual capabilities, right? 00:00:00.000 --> 00:00:00.000 So for example, we're using Octo for MFA or using Active Directory for the identity repository or we're using some of the automated features of RDS for automated backup. 00:00:00.000 --> 00:00:00.000 Capabilities and so those capabilities would map to various IA and A/C and CP controls and Fedramp. And more in other compliance frameworks. 00:00:00.000 --> 00:00:00.000 I don't know if that makes sense. And so that actually resonated with people and say, oh yeah, you know, just, you know, make sure you're using Okta or make sure you're authenticating using Active Directory credentials. 00:00:00.000 --> 00:00:00.000 And so I established a consulting practice focusing on how we I can help organizations build these. Things. And so I called those risk solutions, for some reason. 00:00:00.000 --> 00:00:00.000 That's when we still call them. If you guys have a better name. Would love to hear it so we'll talk about later. 00:00:00.000 --> 00:00:00.000 When you scale security and compliance a lot of time most of my time was spent on documentation and deliverables. 00:00:00.000 --> 00:00:00.000 I mean, just that's what it was for a lot of us when you're going to enterprise. 00:00:00.000 --> 00:00:00.000 And, I thought the resolution focus would enable a significant amount of automation. In our documentation processes and for any organization. 00:00:00.000 --> 00:00:00.000 And you know what, it actually worked in a lot of different. It was it was an embarrassing prototype you know that we put together. 00:00:00.000 --> 00:00:00.000 But it made a compliance documentation a little bit easier. And, and it was for a lot of different company sizes. 00:00:00.000 --> 00:00:00.000 In a lot of different compliance regimes. So whether fed or amp or talk to, right? So, 27,001, No need to Madison, right? 00:00:00.000 --> 00:00:00.000 Like we created it, you know, and it was working. But, with that, you know, became, more asks, right? 00:00:00.000 --> 00:00:00.000 So, the initial prototype of 4 and 5 was focused on streamlining Fedramp moderate SSPs. 00:00:00.000 --> 00:00:00.000 And for complex packages. Hey, and, it, it was Fedramp focus. But what happened was people would ask hey can you do it for stock 2 can you do it for i said 27,001 and then The same people that I was helping with moderate packages were like, Hey, can we convert this to high? 00:00:00.000 --> 00:00:00.000 And I, 5. And then CMMC. It's just, you know, me at the time and I'm like, not very good at coding, you know, but you know, good enough enough to be dangerous, right? 00:00:00.000 --> 00:00:00.000 And had to refactor all the time led to issues and so we have all these different catalogs and all these different report formats. 00:00:00.000 --> 00:00:00.000 And frequent updates and we realized we needed universe and standard and that's when I, that's when I found my people, right? 00:00:00.000 --> 00:00:00.000 That's what I found you guys, right? And thanks to the team at NIST, right? 00:00:00.000 --> 00:00:00.000 Oscar actually enabled us to use, you know, this approach. Of resolutions and we could We, we could have the flexibility we needed. 00:00:00.000 --> 00:00:00.000 So when we think of what is required with the security, you know, for security requirement. You need to know the context of what is being asked. 00:00:00.000 --> 00:00:00.000 You have to know, hey, what is the, not, yeah. So, what is being asked if you, need to know, how do you, how do you evidence those things that are being asked? 00:00:00.000 --> 00:00:00.000 And then finally you need to have the reporting capability. You need all those things. And so, Akal really did enable that. 00:00:00.000 --> 00:00:00.000 And, Anyways. Yeah, so. Anyways, yeah, sorry, I got distracted real quick. 00:00:00.000 --> 00:00:00.000 So. Let's, talk about, you know, the, 3 different phrases, lost scale. 00:00:00.000 --> 00:00:00.000 I know a lot of you guys are already familiar with this, but I'm just gonna go over it. 00:00:00.000 --> 00:00:00.000 So there's these 3 areas, right, for requirements, implementation and assessment. And so let's just go over really quick, you know, catalogs and I'm gonna show you. 00:00:00.000 --> 00:00:00.000 At the end of this, I'm gonna show you how we've done the DCMMC catalogs and happy to share those with you guys at some point. 00:00:00.000 --> 00:00:00.000 Alright, so, first off, for what is the catalog? So catalog would be something like missed 800 out 53. 00:00:00.000 --> 00:00:00.000 Cmmc is based off of 800 dash 171 and for level 3 it's 1 72. 00:00:00.000 --> 00:00:00.000 Right. And so, so how does that work, right? You have these catalogs that have parameters, you have controls and within controls you have groupings and you can have requirements. 00:00:00.000 --> 00:00:00.000 And, you have back matter. So that's the way we look at it. But, profiles are going to take various different catalogs and files and you're gonna merge. 00:00:00.000 --> 00:00:00.000 And create a control baseline. So that is what we try, we use. Oh, say, hey, what is the actual policy? 00:00:00.000 --> 00:00:00.000 What do you actually have to do within your organization? Okay, and so let me, just kinda go through, how, you get it. 00:00:00.000 --> 00:00:00.000 How do we organize like CMMC catalogs and profiles? So we'll go through it. 00:00:00.000 --> 00:00:00.000 Okay. So here we go. We're, looking at, Some JSON file. 00:00:00.000 --> 00:00:00.000 Catalog control parts, right? So here we have the statement 3 1 1, right? 00:00:00.000 --> 00:00:00.000 So here we have the statement 3 1 1, right? And it says limit access to authorized users. Processes on behalf of bothered users and devices, but when we get assessed against CMMC. 00:00:00.000 --> 00:00:00.000 It's actually the assessment criteria. And so we broke it out the different parts, you know, in this catalog. 00:00:00.000 --> 00:00:00.000 Right, because, sometimes the statement doesn't, get us there, right? So that's how we, we simply organize the catalog just like that. 00:00:00.000 --> 00:00:00.000 For 1 72, that's how we, simply organize the catalog just like that. For 1 72, there's like, 800 F. 53. There are parameters. 00:00:00.000 --> 00:00:00.000 There A lot of you guys have already discovered all these things. Okay, so that's those are the parameters. 00:00:00.000 --> 00:00:00.000 There's several, but not near as many as in missed 800 dash 53 obviously. Finally when we have those catalogs, when you're going for level one, which is the self certification. 00:00:00.000 --> 00:00:00.000 You know, there's only a few controls that, that get imported, right? But with level 2, there's a lot more, right? 00:00:00.000 --> 00:00:00.000 We, we have several more controls that get imported. And then with level 3, you're pulling actually from 2 different catalogs. 00:00:00.000 --> 00:00:00.000 You're pulling from. The 1 71 catalog and the 1 72 catalog. 00:00:00.000 --> 00:00:00.000 And, that is just how we, structure that and try to keep it as simple as possible. 00:00:00.000 --> 00:00:00.000 Okay, and so what that does is we we can bring that into pramified. So you're looking at. 00:00:00.000 --> 00:00:00.000 A paramified setup right here. This is what the catalogs look like represented. 00:00:00.000 --> 00:00:00.000 You know, and we just have maximum flexibility with how we presented that. This is how we do it for pretty much every compliance regime. 00:00:00.000 --> 00:00:00.000 We do it that way. And then, we know exactly the things that, we need to, that we need to implement. 00:00:00.000 --> 00:00:00.000 Right. So, from here, When we think of Oscar, I was just talking to, Michaela yesterday. 00:00:00.000 --> 00:00:00.000 Oscar is amazing. It's, you still have to do everything, right? When it comes to security and it doesn't automate things for you. 00:00:00.000 --> 00:00:00.000 But for me, having that standard, we have a way to really streamline a lot, right? So, We have our requirements. 00:00:00.000 --> 00:00:00.000 So we've gone through that catalogs and profiled. And then we gotta go through implementation. 00:00:00.000 --> 00:00:00.000 So there's the 2 different things, right? There's the SSP and the component definition model. 00:00:00.000 --> 00:00:00.000 I love the component definition. Model because it is just, you know, that's how we think of security. 00:00:00.000 --> 00:00:00.000 We think you know, a SAS component that actually helps you implement security. You don't have to start from scratch. 00:00:00.000 --> 00:00:00.000 You know, so we can use like AWS Inspector for scanning our infrastructure. We can use guard duty. 00:00:00.000 --> 00:00:00.000 We can use components that are within our AWS, environment to help us implement security correctly. 00:00:00.000 --> 00:00:00.000 Alright. finally, you know, with the system security plan, we can use those components with Got to help us fill out, how, those controls are, taken care of. 00:00:00.000 --> 00:00:00.000 So. Again, you know, Inplementing our scout. Yeah, it's hard if you don't have the right tool. 00:00:00.000 --> 00:00:00.000 And so not everybody has to know. What it is, right? So I'm gonna show you, Parentheses resolutions platform and the way we think of it and, love to get your feedback on it. 00:00:00.000 --> 00:00:00.000 But our whole goal is to help people adopt. Out quickly, like as fast as possible so that they can take advantage of. 00:00:00.000 --> 00:00:00.000 The deliverables that come from. And so we have a very simple intake process and it looks like this. 00:00:00.000 --> 00:00:00.000 We try to identify and it looks like this. We have a very simple intake process and it looks like this. 00:00:00.000 --> 00:00:00.000 We try to identify, who are, what are the different people, within your organization. 00:00:00.000 --> 00:00:00.000 And when we think of people think of parties within, and you think of the roles. Right, so we, I don't know how many of you familiar with, better app provision, revision for Ssp's, but they have this really nice table that they took out. 00:00:00.000 --> 00:00:00.000 So we actually put it back in as our own separate appendix by default and per on 5, but, section 9 3, was has this, description of the different roles within the organization. 00:00:00.000 --> 00:00:00.000 And the challenge making sure that that roles table was correct. And mapping it to what's actually. 00:00:00.000 --> 00:00:00.000 What was then section 13, right? Like where you're implementing all the controls. It's like so freaking hard to do because. 00:00:00.000 --> 00:00:00.000 As in when components change and roles change and people change, you know, you're having to manually maintain. 00:00:00.000 --> 00:00:00.000 A table in section 9 3 and then also within the security documentation itself. But Oscar changes all of that, right? 00:00:00.000 --> 00:00:00.000 Because you, have a standard way to, report on those things. So we at the very beginning find out, hey, And what are you doing for IT? 00:00:00.000 --> 00:00:00.000 Who is your do you have a devs role how does deployment look for you guys what is your security security roles look like do you just have are you a small company where you have one info set admin and they do everything or you a larger organization and you have like disparate teams for example like identity management you have an identity management team you have a networking team you have an incident response team you have a red team you have 00:00:00.000 --> 00:00:00.000 a blue team it can get really complex right in all of those you different controls, right? We want to know where you're deployed, right? 00:00:00.000 --> 00:00:00.000 So if you're deployed in a garage. Or that's gonna be a lot different than if you're deployed in. 00:00:00.000 --> 00:00:00.000 You know, an AWS environment, right? Or if you're in bare metal, there's there's implications in terms of what you can inherit and what where you're gonna have a lot more responsibility for doing things. 00:00:00.000 --> 00:00:00.000 Finally, you know, what are the things that you're using? So I mentioned a few of the things earlier, right? 00:00:00.000 --> 00:00:00.000 Are you using Okta, for example, for your identity management? Are you using Active Directory or Google directory for your birthright access repository. 00:00:00.000 --> 00:00:00.000 For identity. Are you using, you know, inspector, you know, for scanning vulnerabilities or, you know, what any number of tools. 00:00:00.000 --> 00:00:00.000 But what happens is those go into our, initial setup for solutions. So we've gathered all of these things and, these become your bespoke set of capabilities. 00:00:00.000 --> 00:00:00.000 So resolutions are. Technical and non-technical capabilities that you have within your organization. So technical thing might be something like, you know, managing the single sign-on sync between active directory and your single sign-on. 00:00:00.000 --> 00:00:00.000 Tooling and multi-factor authentication. That could be something that's more of a technical configuration, right? 00:00:00.000 --> 00:00:00.000 There's a lot involved in that. But it could be non-technical. 00:00:00.000 --> 00:00:00.000 It could be HR, HR, crown checks which have some kind of implication on security and risk, right? 00:00:00.000 --> 00:00:00.000 So what happens is we give those capabilities to the experts, right? To those people who have those roles and they're managing a minimum set. 00:00:00.000 --> 00:00:00.000 Of capabilities, right? And they implement those and as we have issues, we're managing the poems and we're making those changes within. 00:00:00.000 --> 00:00:00.000 They're resolution itself. David, so that becomes kind of like a Benjamin button. Capability that gets younger and younger, stronger and stronger. 00:00:00.000 --> 00:00:00.000 You can only imagine, right? So. What's good for security? That is good for compliance. 00:00:00.000 --> 00:00:00.000 And with the admin of. With us gal right we have catalogs and profiles that help us maintain the context again of what is being asked of us, right? 00:00:00.000 --> 00:00:00.000 What what's being asked of us, what is the What is the you know the artifact that we need to to have, right? 00:00:00.000 --> 00:00:00.000 And then finally, how do we report on that? And all of that gets maintained and it's not truncated by just a single common control. 00:00:00.000 --> 00:00:00.000 Right, we get all of that, right? And so with that, you can have very consistent deliverables and you guys know you heard it since you were little at you know baseball or soccer or dance or whatever. 00:00:00.000 --> 00:00:00.000 Consistency is key with those consistent deliverables you know it really becomes a framework for you that you you know, frameworks enable aility, right? 00:00:00.000 --> 00:00:00.000 And so that's, our whole focus, right? Is the resolutions platform. Okay. Let me show you how this works for us. Okay. 00:00:00.000 --> 00:00:00.000 Let me show you how this works for us with, you know, is the solutions platform. Okay. 00:00:00.000 --> 00:00:00.000 Let me show you how this works for us with, you know, an Oscar, right? 00:00:00.000 --> 00:00:00.000 After you do this intake with, you've got your, You've got your different, roles and you've got your different, capabilities. 00:00:00.000 --> 00:00:00.000 We call them elements. So roles are really important. And the different privileges associated with them, where you're deployed. 00:00:00.000 --> 00:00:00.000 There's, something for that. The different kinds of data that you have and the way that you organize security work. 00:00:00.000 --> 00:00:00.000 All right. So let's look at, let's look at the kind of data that you have and the way that you organize security work. 00:00:00.000 --> 00:00:00.000 Alright, so let's look at, let's look at one, right? So, Google directory for us, we're Google Chop. 00:00:00.000 --> 00:00:00.000 That's a lever of the Google workplace fed ramp. background capability, right? 00:00:00.000 --> 00:00:00.000 So we've got some different capabilities within Google workspace, Google directory itself, right? Okay, and so that is those all match the component definition, but what we do with as we kind of invert. 00:00:00.000 --> 00:00:00.000 The component definition model where it's instead of a component inventory, it's a capability inventory. 00:00:00.000 --> 00:00:00.000 And so I'm gonna show you exactly what I mean, right? Yeah, with that. 00:00:00.000 --> 00:00:00.000 Okay. So this is the, an older version of a tram file right, but here it is still looks pretty similar. 00:00:00.000 --> 00:00:00.000 These are our capabilities here, right? So we've got, and this is how we organize it right out of the box and a lot of our customers have their own and I have no idea what they're doing even, but they do their own risk solutions. 00:00:00.000 --> 00:00:00.000 Okay, so here we go like multi-factor authentication for us. You can see that we have the Google ISSO, right? 00:00:00.000 --> 00:00:00.000 That's responsible for this particular, this component, but our IT admin, we're responsible for making sure that, Google directory and together. 00:00:00.000 --> 00:00:00.000 And these map to various different requirements. Okay. And these could map to CMMC and to ISO and everything else. 00:00:00.000 --> 00:00:00.000 And I'm gonna actually show you that in a in a little bit, but risk solutions are that capability inventory that you start with. 00:00:00.000 --> 00:00:00.000 So do the intake, you got your elements, and then finally you got your capability inventory. We are going to be sharing this, you know, soon with the community where we'll just open it up where people can just use it. 00:00:00.000 --> 00:00:00.000 So how does this, what does this mean for CMMC deliverables? Okay. So, let's say that we have this, this mean for CMMC deliverables? 00:00:00.000 --> 00:00:00.000 Okay, so let's say that we have this project we're we're we're trying to get feder app right now right but this is just an example so we have these requirements 320 we're gonna get feder app right now, right? But, this is just an example. 00:00:00.000 --> 00:00:00.000 So we have these requirements, 320 to this environment. So here we have users are authorizing our We have. 00:00:00.000 --> 00:00:00.000 Sorry, it's gone too fast, right? I recorded this right before. So that it would work, right? 00:00:00.000 --> 00:00:00.000 So you could see it, but. What we've got here, I'm gonna pause it real quick so that I can. 00:00:00.000 --> 00:00:00.000 Stop so I can like look at this. Sorry. We've got you know the service account permissions. 00:00:00.000 --> 00:00:00.000 This is a risk solution and what this was what this is trying to do right is, 00:00:00.000 --> 00:00:00.000 It's being used to comply with a lot of different requirements, right? This is gonna pop up a lot in CMMC, for example. 00:00:00.000 --> 00:00:00.000 Managing permissions. And so, this is how we would organize that, right? 00:00:00.000 --> 00:00:00.000 We have I am, which is a component from the AWS environment. Right? And the identity team is responsible for making sure that this is, you know, that this is taken care of, right? 00:00:00.000 --> 00:00:00.000 So, once we do all this, we have the ability, right, to export our, SSP. 00:00:00.000 --> 00:00:00.000 Right. And so this is the, for CMMC. 00:00:00.000 --> 00:00:00.000 Hmm. 00:00:00.000 --> 00:00:00.000 And, there it is. Man, doesn't that look great? Love. Some clean Oh, beautiful. 00:00:00.000 --> 00:00:00.000 And when you have that, we have a standard, right, of a way to report. You can also. 00:00:00.000 --> 00:00:00.000 You can also do awesome deliverables, right? Human readable, deliverables because there's a standard and you know from there. 00:00:00.000 --> 00:00:00.000 You can just, you know, you can fill all these things out. You can manage the boundary diagrams, right? 00:00:00.000 --> 00:00:00.000 And here's your roles table and that's gonna be consistent with wherever you apply these different capabilities. 00:00:00.000 --> 00:00:00.000 Because they're all tied together. Nice. 00:00:00.000 --> 00:00:00.000 We can also, you know, set a base set of policies. Again, policies is simply, you know, what are the requirements for the system and what are the parameters set. 00:00:00.000 --> 00:00:00.000 Also procedures, right? Because procedures are essentially what your, you know, those capabilities, those risk solutions, and they're managed by the various different roles. 00:00:00.000 --> 00:00:00.000 Alright, so. Again, with Oscar, you have all this ability to, to really streamline your security efforts right going from going from 0 to done, a lot, a lot quicker, or at least getting to, you know. 00:00:00.000 --> 00:00:00.000 And the 5 yard line and then it's just like t push right into the end zone right so with with we really have a great opportunity to manage the whole lifestyle, we really have a great opportunity to manage the whole life cycle of, SSP management, poems and, the whole life cycle of, SSP management, poems and, we really have a great opportunity to manage the whole life cycle of, SSP management, poems and, assessment. 00:00:00.000 --> 00:00:00.000 And And I think we're just getting started. So I think I'm going a little fast, but, that's the end of my presentation for today. 00:00:00.000 --> 00:00:30.000 So happy to go into QA and, dive deep on anywhere you want to talk about same empty in particular.