The US Department of Defense (DoD) has finalized its Cybersecurity Maturity Model Certification (CMMC) program, which will hold its supply chain — called the Defense Industrial Base (DIB) — accountable for providing cybersecurity protections for certain types of information. The CMMC involves a structured assessment of the DIB member’s IT system against an objective set of standards. In this post, we provide an overview of the CMMC framework and some comments on how this framework affects small businesses.
For those already somewhat familiar with the CMMC framework based on the DoD’s proposed CMMC rule publication, the DoD nicely encapsulates the differences between the proposed and final CMMC rules here. If you’re new to the DIB or CMMC, and want to know what it’s all about, buckle up and read on!
By the way, the DoD refers to those of us subject to CMMC as “Organizations Seeking Assessment” (OSA) or “Organizations Seeking Certification” (OSC). In this post we’ll just refer to us all collectively as OSA, because all 220,000+ members of the DIB are affected by CMMC assessments in some way. And since our mission is to help our small business OSA peers, all numbers presented here are DoD estimates for small-to-medium sized businesses.
Also, you can think of the word “control” as used in this post as “cybersecurity safeguard”.
UPDATE 20 December 2024: clarified the conditions under which a Conditional assessment or certification results at CMMC Level 2.
Bottom Line Up Front (BLUF)
The most pressing question we are asked about CMMC is “how much will it cost my small business to acheive CMMC?” There’s no way around it: abiding the CMMC framework will be expensive for small businesses OSA. The table below shows the DoD’s own estimates for costs and duration of CMMC assessments:
Assessment costs include:
- time spent, by OSA and their External Service Provider (ESP) partners, gathering implementation evidence
- conducting/participating in the assessment (OSA and ESP)
- paying C3PAO assessors
- post assessment work
- affirmation cost: submitting affirmation into DoD reporting portal and closeout of any deficient assessment objectives
Note that the table above lists assessment and certification cost estimates only, not costs of implementation. We cover implementation costs in our CMMC Readiness Workshops and monthly Town Halls, so if you’re an OSA just starting your CMMC journey, you’ll want to join us in one of those.
Based on our experience, we think the numbers above are about right. And yes, a CMMC Level 2 C3PAO assessment is going to cost about that much 🙁 But if you’re concerned about the costs of assessment, the DoD essentially says, “too bad, this is part of doing business with us”, and an OSA will have to make a “business decision” to pursue work with the DoD:
“Verifying compliance with applicable security requirements may increase cost and is necessary for the protection of DoD FCI and CUI. The cost of lost technological advantage over potential adversaries is greater than the costs of such enforcement.”
Don’t worry if you have no idea what the table above is all about: in the rest of this post we’ll break down the CMMC Levels, elucidate which of us are affected by each level, describe what the assessment process looks like, and much more.
The image below shows the assessment requirements and small business OSA subject to each level of the CMMC Framework:
General notes about the CMMC framework
CMMC-related contractual processes (Title 48) have been proposed by the DoD in a separate rule. Once the 48 CFR rule is finalized, CMMC can be included in solicitations, option years, and period of performance extensions, and perhaps even applied to already awarded contracts, subject to bilateral negotiations.
The framework notes that there are CMMC asset types, depending on how the asset interacts with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). These asset types are described in the rule, but are better described in the CMMC Scoping Guides. See also our post on CMMC Scoping for small business. OSAs determine the assessment scope, asset inventory, and asset categories. The task then is to verify the cybersecurity safeguard implementation within this scope. That’s what the CMMC is all about.
Service Acquisition Executives or Component Acquisition Executives may waive CMMC (DFARS clause 252.204-7021) from solicitations or contracts, but the contractors will still be required to implement the cybersecurity controls. DoD Program Managers (PM) will determine which CMMC level applies to contracts or procurements, as:
"The requiring activity knows the type and sensitivity of information that will be shared with or developed by the awarded contractor..."
The bold emphasis in the quote above is ours, because in our experience, unfortunately the DoD is not familiar enough with the specific types of information developed by certain sectors of the the DIB. So we feel this is a bit of an overstatement of the DoD’s visibility into the supply chain, but…onward!
Prime contractors will determine the CMMC level for subcontractors, if not already defined in the contract.
CMMC will be a requirement at the time of contract award, no exceptions. OSA will be required to plan for adequate time to receive a certification by the time of contract award, to account for any unforeseen delays (e.g. C3PAO assessment delays).
OSA are required to maintain all artifacts, as well as hashes of those artifacts, that supported the assessment for six years after the assessment.
You’ll see the role “Affirming Official” referenced frequently in the CMMC framework. This is a CMMC-specific role defined as “the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations.” Affirmation submission includes the name, title, and contact information for the Affirming Official and the Affirmation statement. All assessment types explained in detail below require an annual affirmation by the organization, as well as under the following circumstances:
- Achievement of Conditional and/or Final CMMC status
- Following a POA&M closeout assessment
Details about each CMMC Level
The CMMC framework provides a table delineating the three levels of CMMC as we showed above, the assessment and affirmation activities at each level, and whether or not Plans of Action and Milestones (POA&M) are allowed:
CMMC Level 1
A CMMC Level 1 annual self-assessment is required of those contractors who only handle Federal Contract Information (FCI), with results, as well as an “affirmation” by an senior organizational official, entered in the Supplier Performance Risk System (SPRS), annually.
“The entry in SPRS for CMMC Level 1 is a binary selection between Yes and No based on meeting all Level 1 security requirements.”
The results of this assessment must all be Met, or else the OSA is not eligible for contract award. For Level 1 an OSA will have to use the corresponding NIST 800-171A assessment objectives to guide the Level 1 self-assessment. No Plan of Action & Milestones (POA&M) is allowed for CMMC Level 1.
Level 1 Scoping
All assets that handle (store, process, transmit) FCI, including people, tech, facilities, and External Service Providers (ESP) are in scope for the assessment. You as the OSA are responsible for defining the assessment scope, although an OSA can define different boundaries for different CMMC Levels. If the scope changes during the “validity period” (1 year), a new assessment may be warranted.
Reporting of results
The following information will be reported through the SPRS system for a Level 1 assessment:
- CMMC level
- CMMC status date
- CMMC assessment scope
- CAGE code(s) in scope
- Compliance result (Met / Not met)
Controls
Identical to the FAR 52.204-21 requirements.
Assessment requirements
OSA use the NIST 800-171A assessment objectives for those controls that map to the FAR 52.204-21 controls. There is a table in the rule which maps the FAR requirement to the 800-171A objectives. (Totem Technologies built our company around a compliance management tool that incorporates this mapping as well as a ton of supplemental guidance on CMMC Level 1 assessments. Check it out!)
POA&Ms
Not allowed at CMMC Level 1.
CMMC Level 2
There are two types of assessment for contractors who handle Controlled Unclassified Information (CUI): self-assessment or “C3PAO” / “certification” assessment. The determination of which contracts require which type of assessment is made by the DoD Program Manager for that particular program or supply chain,
"predicated on program criticality, information sensitivity, and the severity of cyber threat." [The self-assessment option exists to] “allow the acquiring organization to balance the cost and complexity of assessment with the risk to the information being shared with the OSA.”
Affirmation is required after any assessment, and annually thereafter, and for POA&M closeout. POA&M for select requirements is allowed, but must be closed out within 180 days of the assessment. The 180-day period starts as soon as the assessment results are loaded into SPRS (self-assessment) or eMASS (a government repository for C3PAO assessment result information).
Assessments only need to happen every three years, unless an “organizational change” triggers a new assessment. What is an organizational change that might cause such a trigger? The CMMC L2 Scoping Guide states this most concisely:
“A new assessment is required if there are significant architectural or boundary changes to the previous CMMC Assessment Scope. Examples include, but are not limited to, expansions of networks or mergers and acquisitions. Operational changes within a CMMC Assessment Scope, such as adding or subtracting resources within the existing assessment boundary that follow the existing SSP, do not require a new assessment, but rather may be covered by annual affirmations to the continuing compliance with requirements.”
Self-assessment
A self-assessment with a POA&M is considered “Conditional”; without a POA&M, or when a POA&M is closed out, the assessment is considered “Final”. The organization is eligible for contract award with either Conditional or Final and affirmation.
A Final Self-assessment results from the organization Meeting all controls at the time of assessment.
A Conditional Self-assessment results when the organization has any Not Met controls but still scores 88/110 or above, and lists addresses those deficient controls on a POA&M, assuming those controls are allowed to be on a POA&M. See the POA&Ms section below for more information on which controls are and are not allowed to be deficient at the time of assessment.
Self-assessment is required every three years, with annual affirmation.
C3PAO or certification assessment
“Authorized or accredited” CMMC 3rd Party Assessment Organizations (C3PAOs) perform a certification assessment; here again, with a POA&M the assessment is considered “Conditional”, without a POA&M or after POA&M closeout the assessment is “Final”.
Just as with the Self-Assessment, a Final Certification results when the organization has Met all controls at the time of assessment, and a Conditional Certification results when the organization has allowable Not Met controls. See the POA&Ms section below for more information.
During the assessment, any controls Not Met can be re-evaluated up to 10 days following the “active” assessment period. C3PAO will have to do a POA&M closeout assessment (expect to pay more for this). The organization is eligible for contract award with either Conditional or Final and affirmation. The C3PAOs issue a “Certificate of CMMC Status”, as “OSCs are not certified; rather, the assessed network receives a Certificate of CMMC Status”.
As with self-assessment, certification is required every three years with annual affirmation. OSAs with C3PAO assessment certifications are automatically eligible for contracts that require Level 2 self-assessment.
The certificationss will last 3 years, and C3PAOs will enter results in eMASS, which will interface with SPRS. Only the assessment results, a list of artifacts, and a hash of those artifacts will be uploaded into eMASS; the government will not be collecting your actual documents. C3PAOs will keep “working papers” from the assessment for 6 years. The assessment results must be checked over by a quality assurance person at the C3PAO, who cannot be a member of the assessment team.
Companies that scored a perfect 110 on a DIBCAC High assessment, including JSVA, within three years of the effective date of the rule are eligible for a CMMC Level 2 Final Certification; however, these companies must submit an affirmation as well.
Level 2 Scoping
The CMMC Level 2 scoping guide mentioned above has fantastic guidance on scoping a Level 2 system. This process can be complex; if you’re looking for help with it, consider our Workshop. Note that at Level 2, you still have to maintain a separate CMMC L1 assessment / affirmation, unless the L1 and L2 scope are identical:
“ Successful completion of a CMMC Level 2 self-assessment or CMMC Level 2 certification assessment will suffice to meet the CMMC Level 1 requirement for FCI if/when the scope is identical.”
Controls
The controls at CMMC Level 2 are identical to those found in the NIST 800-171 revision 2.
POA&Ms
As mentioned above, your overall SPRS score must be at least 88/110 (80%) to acheive a Conditional assessment or certification result, where only one-point controls (or 3.13.11 if only 3 points deducted) can be deficient at the time of assessment, and none of the 1-point Level 1 (FAR 52.204-21) controls can be deficient. See our SPRS post that explains more about the assessment scoring system as published by the DoD.
“Operational plans of action” to address “temporary deficiencies”, “recurring maintenance activities” (e.g. patching, lack of FIPS-validated modules in a patched OS, or Continuous Monitoring activities) and “Enduring Exceptions” (e.g. systems required to replicate fielded systems, like test equipment, or that cannot otherwise meet the controls [this is going to be a tricky one to interpret]) are allowed on a POA&M at the time of assessment and the associated Assessment Objectives will be marked as MET.
Any deficient Objectives that are marked as NOT MET must be closed within 180 days of the assessment. Note that the DoD delineates between “operational plans of action” and “POA&Ms”. In our opinion, the DoD could have used better phrasing to more clearly distinguish between operational vs. non-conformance plans of action, but the rule is final.
Not Met controls can be fixed and re-evaluated during a Level 2 assessment and for 10 days afterwards if additional evidence is provided that 1) indicates the control is Met and does not affect the effectiveness of other requirements, and 2) the C3PAO has not submitted their report yet.
CMMC Level 3
CMMC Level 3 is associated with a subset of the controls in NIST 800-172, for contractors who handle more critical CUI (or what Totem calls “CUI+”).
DIBCAC (an office under DCMA) will perform CMMC Level 3 assessments, after the OSA acheives Level 2. There are no self-assessments at Level 3.
POA&Ms are allowed like in Level 2, with DIBCAC performing POA&M closeout assessment.
The CMMC Level 3 certification will last three years. DIBCAC will enter the assessment scores in eMASS and SPRS. The same Conditional vs Final assessment result dichotomy holds in this level, except the scoring is different than in Level 2, and the allowable POA&M’d controls are different. Certification is required every three years with annual affirmation.
OSAs cannot simultaneously pursue a “combined” L2 and L3 in one assessment, as:
“[p]ermitting OSCs to seek combined CMMC Level 2 and 3 assessments would unfairly benefit only a subset of OSCs that were identified to meet CMMC Level 3 requirements.”
Scoping
Scoping in Level 3 is approached the same as with Level 2, with the addition that Contractor Risk Managed Assets are re-scoped to full CUI Assets, the latter of which may be protected by and “intermediary device“. General examples of intermediary devices are provided, e.g. a “jump box” (a computer used specifically to provide an proxy interface to another computer).
During the Level 2 assessment precursor to the Level 3 assessment, Operational Technology (OT) and Internet of Things (IoT) are fully IN SCOPE, unless physically or logically isolated, whereas these technologies could be deemed “Specialized Assets” under Level 2.
The Level 3 scope cannot be greater than Level 2 scope; i.e. the Level 3 system must be subject in entirety to the Level 2 controls as well.
Controls
There are 24 controls at Level 3, a selected subset of NIST 800-172, which are listed in the rule. All additional controls are only worth 1 point in the assessment scoring system. DoD-assigned parameters for L3 controls are listed here.
POA&Ms
The OSA must have a score at least 80% to acheive a Level 3 Conditional certification, and none of the following controls can be deficient: 3.6.1e, 3.6.2e, 3.11.1e, 3.11.4e, 3.11.6e, 3.11.7e, 3.14.3e.
Note that the three-year expiration date for a CMMC Level 2 or Level 3 Assessment is “based on the CMMC Status Date of the Conditional Status if a POA&M was required or the Final Status if the assessment resulted in a score of 110. CMMC Status date is not based on the date of a POA&M closeout assessment.”
Contractual flowdowns of the CMMC framework
The table below describes what level CMMC assessment certification the OSA must hold, based on the prime contractor’s CMMC level requirements and what type of information the subcontractor handles:
Note that Prime contractors are not always required to flow down a CMMC Level 3 requirement, but at a minimum the flow down will be Level 2 C3PAO requirement. Primes
“are not required to assess subcontractor implementation of the requirements of NIST SP 800-171…[but] to flow down CMMC assessment requirements…[and] will not be granted access to subcontractor's information in SPRS…[so the] DoD expects that defense contractors will share information about CMMC status with other DIB members to facilitate effective teaming arrangements when bidding for DoD contracts”
How does the CMMC framework affect ESP?
The CMMC framework refers to Managed Service Providers (MSP), Managed Security Service Providers (MSSP), and Cloud Service Providers (CSP) as ESP. The CMMC Level 2 Scoping Guide has the most concise description of how CMMC affects ESP: “To be considered an ESP, data (specifically CUI or Security Protection Data (SPD) must reside on the ESP assets. ESP will need a customer responsibility matrix [CRM, aka shared responsibility matrix SRM], “which describes the responsibilities of the OSA and ESP with respect to the services provided.”
Note that “ESPs are not subcontractors on a DoD contract and are not bound by subcontractor flow down requirements.”
Under the CMMC framework, “CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
Cloud Service Providers (CSP)
ESP that handle CUI in the cloud are Cloud Service Providers (CSP) and must achieve a FedRAMP Moderate ATO or may meet “equivalency” if the CSP meets the criteria outlined here.
The CMMC framework confirms that to be considered a CSP, an ESP must meet the definition in NIST 800-145, namely having these five attributes:
- On-demand self-service: Consumers can provision computing resources without human interaction.
- Broad network access: Capabilities are available over the network and can be accessed from a variety of devices.
- Resource pooling: The provider’s resources are shared among multiple consumers.
- Rapid elasticity: Capabilities can be provisioned and released quickly, sometimes automatically.
- Location independence: Customers generally don’t know the exact location of their resources, but may be able to specify a higher-level location.
An ESP that manages a third-party cloud service on behalf of an OSA, for instance as Totem Tech manages our ZCaaS™, would not be considered a CSP.
ESP that have cloud services but do not handle CUI are in scope for the OSA assessment, but do not need to meet FedRAMP requirements.
OSA assets used to connect to a CSP are in-scope for the assessment.
There is a nice table summarizing ESP and CSP assessment criteria here.
Security Protection Assets (SPA) and Security Protection Data (SPD)
SPD includes: “configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.”
“ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do not require CMMC assessment or certification.” However, the rule also says “The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets.” In our opinion, these two statements can be taken as contradictory, but we think the gist is that ESPs that handle SPD don’t necessarily have to pursue independent certification.
ESP may, however, elect to have independent CMMC level certification equal to or above the OSA. If the ESP does not handle CUI, they will be included in the OSA’s assessment scope. ESP seeking independent CMMC assessment/certification will need a CAGE code and SPRS account to complete the annual attestation.
ISP and Telecom providers
ISPs and telecom providers are not subject to CMMC, unless they are defense contractors, and as long as CUI is encrypted during transmission through their services.
Corporate or Enterprise IT services
“Corporate IT” for satellite offices is probably considered an ESP: “ESPs can be part of the same corporate/organizational structure but still be external to the OSA such as a centralized SOC or NOC which supports multiple business units. The same requirements apply and are based on whether or not the ESP provides cloud services and whether or not the ESP processes, stores, or transmits CUI on their systems.” But only those aspects of Corporate IT that your office uses are in scope:
“For example, a centralized IT group may acquire, configure, deploy, and maintain a standard anti- malware tool. Systems within a defined assessment scope use that centrally deployed tool. The anti-malware tool and the people in the IT group who maintain it, the processes and policies to deploy and update it, and the supporting systems (e.g., management server) could be in the CMMC Assessment Scope but other functions performed by the enterprise IT and other enterprise assets would not be automatically part of the CMMC Assessment Scope.”
If your company only provides staffing services, try to get your customer to provide all the IT assets and facilities, as “An ESP that is used as staff augmentation and the OSA provides all processes, technology, and facilities does not need CMMC assessment.”
Establishing a VPN with ESP equipment brings that equipment into CMMC scope.
The CMMC framework will be implemented in phases
Full implementation of “CMMC by all defense contractors will occur over seven years” via a phased approach.
Begins on the effective date of the last final rule, either the framework rule covered in this post or the 48 CFR rule, whichever is later. In Phase 1, CMMC Level 1 and Level 2 self-assessment requirements will go into all solicitations, contracts, and some existing contract options (this latter part at the DoD’s discretion). CMMC Level 2 certifications may be required at DoD discretion.
Begins one calendar year after the beginning of Phase 1. DoD extended the duration of Phase 1 to allow contractors some additional time to catch up on their NIST 800-171 implementation and CMMC preparation. In Phase 2, CMMC Level 2 certification requirements will go into all applicable solicitations, contracts, and some existing contract options. DoD may delay Level 2 inclusion to an option period instead of at contract award. CMMC Level 3 certifications may be required at DoD discretion.
Phase 3
Begins one calendar year after beginning of Phase 2. CMMC Level 2 and Level 3 certification requirements (where applicable) will be a condition of all contract vehicles, except for CMMC Level 3 certifications in option periods at DoD discretion.
Phase 4
Full implementation of CMMC, beginning one calendar year after the beginning of Phase 3. All contracts will include CMMC requirements.
For more information on where things are currently at with the phase-in of the CMMC framework, consider participating in one of our monthly Town Halls.
Notes on the CMMC framework "ecosystem"
The DoD has built an “ecosystem” of assessment entities to support CMMC Level 2 C3PAO assessments.
There will be one Accreditation Body (AB) for CMMC (cyberab.org), with a mission to accredit C3PAOs. The AB will also oversee the training element of CMMC, called the Cybersecurity Assessor and Instructor Certification Organization (CAICO).
The DoD CMMC PMO will subject prospective C3PAOs to FOCI (foreign ownership, control, or influence) risk assessments. C3PAOs are allowed to be foreign owned, however. And US-owned C3PAOs may operate in a foreign nation.
C3PAO assessment teams must include at least two people: a Lead CMMC Certified Assessor (CCA), and at least one other CCA. Additional CCAs and CMMC Certified Professionals (CCP) may also participate.
C3PAO required to have an appeals process, managed by the quality assurance staff, which can be escalated to the AB, which will have final authority. The OSA must direct disputes about CMMC Level in the contract the DoD contracting officer. There is no minimum time to wait after a failed assessment to schedule another assessment.
Members of the AB will be prohibited from participating in CMMC activities for six months after leaving the AB.
The AB is responsible for policing conflicts of interest and professional conduct in the ecosystem.
Ecosystem members cannot participate in an assessment of an organization for whom they helped prepare for the assessment.
Ecosystem members must report to the AB any civil or criminal offense related to fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense.
All C3PAO assessment team members will have to undergo a Tier 3 background investigation, or meet “the equivalent of a favorably adjudicated Tier 3 background investigation”. Since “a C3PAO may use its own employees to staff an assessment, it also may leverage CCAs and CCPS who are independent contractors, rather than employees of a specific C3PAO. Because these independent CCAs and CCPs may not be covered by the C3PAO’s background check requirement, CMMC requires CCAs and CCPs to have their own Type 3 background checks or equivalent.”
CAICO certifications are good for 3 years.
CCAs must be 1) CCP, 2) have 3 years of cybersecurity experience, 3) 1 year of assessment/audit experience, and 4) hold an industry baseline certification, e.g. Security+, CISSP, CISA, etc.
Lead CCA must have 5 years cybersecurity experience, 5 years of management experience, 3 years of assessment/audit experience, and a baseline cybersecurity management certification, e.g. CISSP, CISM, etc. CCA are tightly restricted as to what IT they can use during the assessment, and must use equipment provided by a C3PAO.
CCI (Instructors) cannot also provide CMMC consulting services.
Miscellaneous notes and tidbits
As we’ve noted before, CMMC Level 2 is coupled to the NIST 800-171 rev 2 standard for the foreseeable future.
The CMMC framework narrowly focuses CMMC assessments: “The CMMC program is not a verification program for compliance with all requirements of DFARS clause 252.204-7012, rather, its purpose is to ensure compliance with FAR clause 52.204-21, NIST SP 800-171 R2, and NIST 800-172 Feb2021 when applicable.”
In Virtual Desktop Infrastructure (VDI) solutions that prevent the transmission of CUI by only allowing Keyboard, Video, Mouse (KVM) interaction, the VDI client is considered out-of-scope for the CMMC Assessment. This is GREAT news for Totem Tech’s ZCaaS™ solution, which was intended from the start to facilitate de-scoping the BYOD or unmanaged client machines.
In the CMMC framework, “periodically” means no less frequently than one year.
“Fundamental research” that is “shared broadly within the scientific community” is by definition NOT FCI/CUI, and entities that only handle fundamental research are not likely to see CMMC requirements.
CMMC is applicable to Joint Ventures (JV) if they operate a covered system.
“Organization-defined” means determined by the OSA.
Government systems operated by contractors are not covered by this rule.
The CMMC framework “does not specify the number of POA&Ms that may be used to address one or more CMMC security requirement that were Not Met during a CMMC assessment. The OSA may choose to use a single POA&M or multiple POA&Ms.”
Wrapping up
Whew, you made it! Congratulations, and welcome to CMMC Thunderdome!
At the end of the day, CMMC is about ensuring our customers that we are adequately securing the sensitive military information we are provileged to handle. The framework might seem a little complex for small businesses, and we agree, but we can attest that it is doable on a small business budget. You just have to know where to start.
We know CMMC can be overwhelming, so if you’re looking for more help on this consider participating in one of our CMMC Readiness Workshops, or just contact us for more information. Or perhaps consider engaging the services of one of our Trusted Partners.
Good Hunting!
–Adam
