Talkin' SaaS
Talkin' SaaS brings you in-depth interviews with proven regulatory leaders, from state government staff to private sector authorities. Take away practical solutions for your current regulatory challenges.
Talkin' SaaS
No Excuses for Insecurity with GovRAMP ED Leah McGrath
Leah McGrath, Executive Director of StateRAMP dba GovRAMP explains how GovRAMP evolved from creating a common shared solution to address a common shared challenge that affects state and local governments; learn how GovRAMP bridges the cybersecurity gap for state and local governments, providing a streamlined and collaborative framework to validate the cyber posture of the cloud products and technologies leveraged by government.
GL Solutions helps governments run, grow and adapt. For more information about GL Solutions and our modernization service for regulatory agencies, visit us on the web at www.glsolutions.com. Or connect with us via Facebook, X or LinkedIn. Reach our host, Sam Hardin, at hardin@glsolutions.com or on LinkedIn. We look forward to hearing from you.
Sam, welcome to talkin SaaS. Brought to you by GL solutions. Talkin SaaS is your source for the inside scoop on software as a service, featuring interviews with proven regulatory leaders from state government staff to private sector authorities, and commentary in conversations that deliver practical solutions for your current regulatory challenges. Thanks for listening, and don't forget to rate, review, Subscribe and follow wherever you listen to podcasts or at GL Solutions, and be sure to send us feedback by clicking on the send us a text link just above the episode description in your favorite podcast app. And now here's your host at talking SAS. Sam Hardin,
Sam Hardin:well, thanks for joining me, Leah. And so let's go ahead and talk about, give me your background, your story, and then I want to jump into state ramp after that.
Leah McGrath:So well, Leah McGrath, I'm the Executive Director of StateRAMP that is now doing business as GovRAMP, and I think we're going to talk about that a little bit today. But my background really is public sector. So you know, I've spent my 20 plus year career in and around state and local government specifically. So just before coming to StateRAMP, or now GovRAMP, I had served as Deputy Mayor for the city of Fishers, Indiana, where I live. I love this community. I loved my time serving, and the five years I spent there, I really focused on one of the things that I did, responsibilities I had, was helping modernize. You know, we had a lot of modernization initiatives thinking about, how do we bring government to individuals where they want to meet it right in a digital environment? How do we make how do we use modern tools that we can attract and retain the best talent for the community as well? And it was through those efforts and really trying to automate or digitize, modernize right how government was being delivered and how we did that, that I realized how hard that is to do for the public sector, and it is. It's really challenged, because when you are working in the public sector for state, local government, education agencies, it doesn't matter, right? But the responsibilities are still the same. We are entrusted to protect critical infrastructure, critical data, and that means that you have to take a little bit of an extra hard look when you are investing in technologies or leveraging technologies that will transmit store process or have a potential impact on your data security. And so it was through those experiences that are really gained an appreciation for just how challenging the situation was and continues to be, but also how exciting it is to think about, how do we innovate? How do we bring innovation to government faster? How do we serve better? How do we leverage data to make more informed decisions? And now that we see the advent of GenAI really coming into play. Those questions become even more important and more exciting, but also the risks grow. And so I think cybersecurity has never been more important, and having good hygiene and best practices. You know, one of the things that I think we've we've really seen in the last 20 years, certainly during my career and time working, has been that we're integrated and we are partners in being able to serve right whether it's industry coming together with our government leaders. We cannot do the things that we do in government without our technology partners there. And so when I was going through this process myself working in government, I continued to find these just barriers and challenges to be able to do that, to be able to achieve that partnership and that innovation faster. And it was through those discussions that I ended up meeting the founders of StateRAMP now GovRAMP, Joe Bielawski and Julie Bielawski, who own Knowledge Services, and they were moving their company to Fishers, Indiana. How serendipitous is that? And then through their interactions, I met J.R. Sloan, who is the CIO of the state of Arizona. And in talking with them and our founding steering committee members, I realized that the challenges I was facing in the state of Indiana were the same challenges that leaders across the country were facing, and that is, how do we adopt technologies, knowing that The security is where we need it to be. So that is my background.
Sam Hardin:That was an amazing intro. Thank you. That was that really like paints the picture for me, and it really seems like it came out of need. You were kind of working in public government and seeing the need and then meeting. The right people at the right time and coming together and saying, Hey, we're all kind of experiencing the same thing. So why don't we, you know, work on this together. I mean, gosh, thank you for sharing. That was just like, really cool to get that full story. Okay, so I want to kind of break down what StateRAMP is, what they do, what the mission and vision is to help the listeners kind of understand, you know. What are you trying to accomplish at StateRAMP?
Leah McGrath:So, you know, you nailed it actually, Sam, when You know, when I talk to CIOs across the country and we start you were just talking. And that is, you know, what we found very early on is that when there is a common shared challenge across industry and government, there's an opportunity for a common, talking about state ramp, all of them just kind of have this, shared solution, and that is what StateRAMP now GovRAMP is about. GovRAMP's mission is to drive best practices in, you know, cybersecurity, and to do so by really bringing all of the like, oh yes, thank you. You know about that? Like, it just stakeholders together to recognize a common framework so that we can have a common method to validate and verify the cyber posture of the cloud products and technologies that seems like there's a there's a weight lifted off people's governments leveraging. And in doing that, we're able to have a security program that really is a shared service where providers shoulders, like, yes, we're standardizing this. Yes, it's can verify their cloud products one time in one place, reporting, continuous monitoring, right? And then they're able to provision access to those insights to their going to become more efficient, more accessible. So I really government customers, so they report once to serve the many, and then government, our participating governments and agency partners are able to access those insights so they're think that that, even to, you know, your first comments, that they don't have to do that assessment or that validation on their own. They're able to, instead leverage the insights so that they can make risk based decisions that are right for kind of goes back to that idea of of people coming together and them. And we say that all the time, we're about making visible and transparent the cyber security risks, you know, benefits posture, so that governments can make the decisions that are right for them, because every use case is making it more efficient. So let's talk a little bit about unique, right? And every data set, you know, we always say you're going to protect your tax data a little differently than the difference between state ramp and FedRAMP, you know as you might protect your fish and wildlife software that's counting trout, right? So we want to have a framework that allows for risk acceptance and risk based decisions. state ramp is kind of newer. I don't know if I would say super new, but it's newer. And so some people might, I want to make sure we we draw the clear distinction between FedRAMP and StateRAMP. So yeah, if you could explain that a little bit. Absolutely, and I'm going to, for the rest of the time, try to say GovRAMP, Sam, because I'm trying to get used to that. Just so, you know, you know, we have, I have a penny jar started. So every time I forget, I know, I know donating, it's so hard. But just so you're aware, so, you know, it's a great question. Fed ramp is a federal program that is run out of the GSA, you know, in the federal government, and it is codified in the NDAA. It is a federal thing, right? It's a government program that is run by the federal government, for the federal government. And so one of the things that we learned along the way is that those insights from a continuous monitoring perspective are not shared outside of the federal agencies, because it's a program designed to serve the federal agencies. And so that really left states, local governments, education, on their own to figure it out, and how cool that they came together to to do what we're doing now with Gov ramp, so that they could come together in this shared solution fashion. So, number one difference, GovRAMP is a non profit. We are a 501, c6, organization. StateRAMP is the entity. That won't go away. We did just recently update to doing business as; we have a DBA as GovRAM. And that's to better reflect our mission and those that we serve, because we don't just serve states. We serve local governments, K-12 schools, higher ed are all able to participate in our program. So that is the reason for the name change to GovRAMP. But as a nonprofit, we're managed differently; so that's the first difference. When you get into our security programs, there are a few differences in the requirements and the way that we work. So our founding steering committee and our standards and technical committee has continued to really have a goal to align our frameworks with FedRAMP, and that's because the ecosystem. We're all connected. Right? And a lot, and it's based really brilliantly on the National Institute of Standards and Technologies Special Publication 800-53 now rev five; that really speaks to the best practices in cloud security. And so because we have similar baseline standards, it does allow us to continue to align, which is really helpful so that we have a fast track program, for example, for providers, if they have had, they have they it's okay if they haven't even submitted it, but if they've had an audit, an assessment for a FedRAMP authorization or FedRAMP ready status, they can actually bring that same audit and same package through our program because of the alignment. And so that's really important, because it streamlines the process for the providers. But also, you know, our program, we've really designed some great efficiencies, and so it allows them to go through our program and really get that feedback while maybe they're waiting to go through the federal program. So just a couple differences, other things we've really innovated through iteration based on, you know, member feedback and understanding where the marketplace is today and where we want to go from a maturity perspective. So a couple of differences. One key is that we do not require a sponsor to become GovRAMP authorized. That's a big deal. If you've ever talked to anyone who's tried to achieve a FedRAMP authorization. A barrier is finding a federal agency willing to sponsor. Right? Because that's a big lift for those agencies. We know what the lift is, because it's what our program management office does every day. So I fully appreciate and understand. So what we have is a centralized program management office. So rather than every agency or government being that sponsoring organization, we have a centralized program management office, and that was very important in the very beginning, and continues to be, because we wanted to make sure that the standards were applied consistently, so that if it says GovRAmP ready, or GovRAMP authorized, or we have a new status, we're launching GovRAMP core you know, it's the same every time. If you are a government trying to trust that validation, you want to know there's consistency in application. So key difference would be that we have a centralized program management office who is really validating and doing the initial assessment. Now we don't need an agency sponsor, because we handle that differently. We have an approvals committee that meets monthly. They're made up comprised of, think it's around 10 now, different government officials who've got technical expertise, who volunteer their time. I cannot thank them enough. I call this the most awesome, hard working committee, because it definitely is. You're like the life blood of our program. And every month they do reviews. So our program management office will will give them an executive summary recommendations, and they do the reviews and meet monthly to be able to be that final authorizing body to give that GovRAMP authorization. So that's how we operate differently allows us to have, I think, a more efficient cadence and also more consistent expectations as to what that process looks like with us. The other difference, and I kind of alluded to it, is, while our GovRAMP ready and authorized statuses and requirements very much mirror the requirements and process as FedRAMP. We also have some other programs that provide a step by step approach into becoming ready and authorized, and that's because when we launched this program, we realized and heard from many of our provider members that they just weren't quite ready for that full assessment, or maybe they didn't need it, right? Because, again, when you're thinking about risk, we want to make sure that the requirements match the needs for risk. So back to that fish and wildlife example, if I'm counting trout, I might not need the full GovRAMP authorization, but there's still a potential data or security impact. So we want to make sure that there are some best practices in place. And so for that reason, we have kind of an earlier stage. I always say, start with Snapshot. We have an earlier stage program that's our government progressing program, Progressing Snapshot Program. And what that does is allow a provider to start. They have an it's it's kind of, think of it like a mini audit. They're able to assess where they are in just those basic kind of the base 40 NIST controls. And in doing that, it's very simple. It's low cost. It allows them to see where they are, so they know how far do they have to go. And then our PMO advisors wrap around support every month. They have meetings to help advise them on how to most efficiently go forward. Where do you get the greatest bang for your buck when it comes to security outcomes? Because it's what we really try to drive toward, right? These are the things that, based on the Mitre Attack Framework study, tell us have the greatest impact on risk. So we look at those controls with the higher risk protection values and start there. And it's so brilliant, because then also the providers can go back to their leadership and say, here's how I'm helping improve security. So we have some earlier stage statuses like I mentioned, that lead up to ready and authorized that I think are so important in helping ensure providers have a path in and that are participating governments have visibility along that journey. So it's not a binary, Are you authorized or not decision. It's a where are you in your journey, and is this risk okay to accept?
Sam Hardin:I almost see it as, like, kind of welcoming, open arms with the providers. Is like, meeting them where they're at, yes, but, but still withholding. Like, yes, this is very serious, and you need to meet these controls. But so, yeah, I think that's
Leah McGrath:So well said. Yeah, it's that balance of we've and, oh. I can tell you our steering committee and board, they are very strong proponents, and I appreciate this of being business friendly. This has to be something any business who's willing to put in the work right can attain. So it's not we're trying to open the doors be business friendly, without sacrificing the integrity of the program and security. And so it's a balance. But you know, I think that's why we continue to iterate, is that, you know, we are constantly we had two meetings yesterday. We have quarterly meetings with our different provider and government and three PAO members, where we have that opportunity for back and forth. We have committee meetings every quarter. We have, you know, annual input from our members, but it's really because we're we're just walking hand in hand, whether it's with our participating governments, to help them incorporate these into their risk management practices, and some, in some cases, we're helping them start their vendor risk management processes and programs. And so we have the ability to walk hand in hand with them, while we're also walking hand in hand with the providers. And I think it's it's being able to have input from all those stakeholders that that's kind of the secret sauce, right? We need to hear from everybody who's working along these journeys to understand their pain points so that we can make it better.
Announcement:You know how painful it is as a leader or member of a team tasked with managing large volumes of information, applications and licensing requests, You know what it feels like to be hamstrung by manual processes, mountains of paper and generally bogged down by doing things the old way. It's time to modernize. It's time for agency transformation. GL Solutions delivers a revolutionary approach to true agency modernization. GL Suite's agency transformation service will propel your agency beyond scattered improvements by implementing a strategic model of digital transformation. We take a consultative approach working alongside your agency to perform a deep analysis of your permitting and licensing systems and processes, to craft a detailed plan following the five phases of agency transformation with a truly integrated system and seamless digital first workflows in place, utilizing GL Suite's analytics layer, you'll gain real time insights that power continuous improvement and permitting and licensing processes. In time you become the model that other government regulatory agencies seek to emulate. No matter where you are in your own modernization journey, GL Solutions can guide you to where you want to be. The time is now to transform your agency to learn more. Visit glsolutions.com today,
Sam Hardin:From your guys' conversations and just the early days of StateRAMP, it seems like there was a gap there. I mean, you explained that at the state and local level. But do you think there was also a gap there where it was a little loose, and so, you know, you might get some vendors that say, Sure, yep, we can do that. And it wasn't really transparent.
Leah McGrath:Absolutely there was a gap. I don't think it was nefarious. And I think exactly, yeah, it wasn't that. It was, it was sort of an honest gap for most. There may have been a few, but I think it's really, you know, when I reflect on just the past 25 years and how technology has evolved, I think it's, it's really been because, you know, we've shifted from self attestation, right? Sign here. And the idea that, well, we'll just require that you get more cybersecurity insurance, and that'll cover us, right? Yeah, that doesn't actually make you more resilient. That just drives the cost.
Sam Hardin:Yes
Leah McGrath:And so I think, I think that as as we've learned more, and truthfully, as we've experienced as communities and country. You know, the entire country has experienced increased cyber attacks and cyber threats. We've had to really evaluate our practices. And so I think it's, it's been a shift from self attestation sign here, just something we'll have the attorneys work out, to really saying that's not good enough, right? We, if we are going to be good stewards of our critical infrastructure and data, if we are going to be more resilient and increasingly more reliant on private sector technologies, which I see as a very exciting opportunity, then we have to, you know, we have to become aligned in what our expectations are of one another, to meet a baseline security and so and to prove it. That's really the difference. It's going from self attestation to a prove it model so that we can have trust through that validation.
Sam Hardin:Well, so yeah, you touched a little bit. Can you talk about the some of the biggest cyber security challenges that you guys are seeing, or that's, that's kind of you're talking about at state ramp, or that's
Leah McGrath:Yes, yes, yes. You know, I think it is. I think it's that balance of, how do I innovate and bring innovation to government faster while not sacrificing security? I think that's the biggest challenge, and it's why we have developed our snapshot program. Why we developed this new core status that we have is because we want to enable that trust sharing sooner in the process, if you say you have to wait until you become authorized before a government can fully use you. And there are circumstances where that's valid. There are absolutely circumstances where the risk is great enough, and that is valid to say, we will not use you until you are GovRAMP authorized, fully authorized. But there are circumstances where it is valued, it is valid to say, Hey, as long as you have a snapshot, as long as you are in the progressing program, and I know you're working towards something, or as long as you've got that core status as a starting point, then let's jump in and see how this works. What we've done is develop best practices for procurement contracting, right? If you don't have it in your contracting terms and conditions, it's just a good policy sitting on a shelf. So we've really tried to work with our participating governments to update terms and conditions. And an example of how we do that is to say, okay, maybe you might say, depending again, on the risk, you might say we are, we will start a contract. We'll enter into a contract with a provider, so long as they're, you know, part of the progressing snapshot program, and they agree to become GovRAMP authorized in 18 months, right? Because then you have, it's all about having that visibility of cyber risk and triggering those notifications when there is a challenge or problem. But I think that's the number one thing is, how do we balance bringing innovation to government efficiently, fast, while while respecting, you know, the need for security so, so we try to solve for that. I think the other challenge is that, you know, you can't just stop doing business right? If I'm a government, I've already signed a lot of contracts so I'm a K-12 school. If I'm an education agency, I have a lot of contracts underway with technology providers that we rely on heavily. We're transmitting really sensitive data, perhaps, but I can't just unwind that. I can't turn the lights off. So I think that's, that's a big risk that we see out there, right? And so, which is why, you know, I've always taken the approach of, in whatever I'm doing, stop the bleeding now start as you mean to go. And you really need to dig into those renewal periods when you have them for contracts, to make those updates while you can. And then there are some as you evaluate, if it's high enough risk, I would do a contract amendment right. I would, at the very least want a snapshot to know where I am. So it's, how do we go forward, innovating together quickly and efficiently. And then how do we deal with the legacy risk that we may already have?
Sam Hardin:Well, okay, all you state agencies and local agencies, Leah told you, take a look. I love that. No, that's great that people should be doing that all the time. But yes, thank you. Well, okay, so now I'm starting to connect to the dots, because I so one of the things I was looking at just I had popped up on my news feed one time, and I saw that Indiana Governor Mike Braun signed a executive order which directs all state agencies to engage only with cloud service providers. So now that I'm now that you told me your background, I'm like, Okay, it's starting to make sense now, but so do you? So I kind of want to talk about that. As far as do you see the general landscape kind of going more like utilizing more private companies for state government? Because, you know, in the past, there was some states and larger agencies that would say, you know, we're going to house the data here on site, on prem, or something like that, or Sure. And so do we see a more of a shift? Is that kind of why we're seeing that? Or what are you seeing on the landscape out there?
Leah McGrath:That's a great question. And everyone's, you know, we, we certainly still, I think there's a research recently that came out that demonstrates that most, most governments, have some type of hybrid approach, right? Some some on prem, some clouds. So we also see some states that choose to host even though they're they're procuring So, so this is, maybe gets a little bit of what you're saying. I may procure, you know, or or procure technologies, but I host it in my own private cloud, right? Or my own government cloud that I've, that I've got.Even so you still want to make sure that the technologies that you're procuring, that their boundaries are secure when you're bringing them in, otherwise you are just bringing in all sorts of challenges, right? And so the challenge in doing so, or maybe just what you have, what you have to know that when you are hosting those solutions in your own cloud is that when that happens, some of the the maintenance of those controls comes to you right because now you're hosting it. But you're starting with what you've you've brought in, so you want to make sure that you're bringing in a really solid cloud solution, whether that's a SaaS, a PaaS, whatever you've procured that you are relying on, I think that what we've seen, especially since the pandemic in 2020 is just increased reliance on these cloud tools, whether it's a SaaS or a platform, you know, to be able to deliver these services. And so I think it didn't happen overnight, but it feels like it did in terms of that. I think the other thing that we had for a while, if we go back to the self attestation days, was also a lot of rogue IT, where you had people buying the software as a solution in agencies or, you know, different business units within organizations because they were solving their business need. And so, and not that we don't want them to do that, but we certainly want them to do that in systematic way. And so there's a lot of change management that comes along with improving your risk management program.
Sam Hardin:So Indiana is obviously a state that's adopted that. Are there other states that you guys are working on with, with kind of adopting a sweeping directive like that?
Leah McGrath:is the best place to go to kind of keep up with what's happening. We do have a few participating agencies and governments who choose not to be listed. So if you ever have a question, just call our team. We're happy to hop on a call, but we really try to encourage folks to embrace that listing. Use the program. Pages we have there. You'll see some links, but some of the states that have some exciting activity right now, in addition to the state of Indiana, we also are working hand in hand with the states of Utah and Arizona is updating their program as well to really transition more fully to GovRAMP. And so we're really excited about that. But if you, if you go onto our website, if you go to the program pages that are hyperlinked there for the states of Utah and Arizona, we do have some upcoming webinars that you can register to attend. So and those are posted there. If you missed those, don't worry about it, but those are really where you can, you can learn more about how that's being incorporated across the different agencies. Okay,
Sam Hardin:now, is there? So with that, is there? Have you heard anything on maybe, why states are not adopting it? Or I, maybe I'll clarify slower. To adopt it.
Leah McGrath:You know, that's it's such a good question in every I'm sure you've heard the adage. Doug Robinson, the Executive Director of NASCIO, says this often, if you've seen one state, you've seen one state. And so I think it really comes down to, you know, where are they in their risk management journey? How are they organized? Are they more centralized or decentralized? What is then the relationship and authorities that they have with either the vendor requirements and in the relationships with the procurement, wherever that lies. Sometimes procurement is in the department of administration. Sometimes there are procurement individuals or authorities within the technology agency. It just really varies. But those are all variables that really have an impact on how quickly and swiftly we see governments adopting.Because, as I mentioned earlier, really it's a change management adoption where you say, hey, we want to make sure we have more consistent standards across the board that are incorporated across our procurement. And to do that requires bringing a lot of stakeholders to the table, so everyone's in a different journey with adoption. If you were to look at our participating governments page, what you would see is, you know, if you and I were walking through each state or agency, they all fall in a spectrum. Some of them are early in adoption stage, where maybe they just recognize it as meeting you know, their needs. Others may have, hey, we only accept two or three in governance, one of them, some of them have a preference for GovRAMP. New Hampshire is an example of that where they accept a couple of other security validations, but they have a preference for GovRAMP, so that you would actually get additional points in a solicitation, scoring if you use GovRAMP. Some some like Arizona, Utah and Indiana that we were mentioning are going down the requirement route where, while these others are good, we require GovRAMP because that is more fully integrated into their risk management program. And just to give a little insight as to why you might go that way, why a government agency may choose to go that way, is part of our program, is that continuous monitoring sharing. So we have a continuous monitoring escalation process so that if there's a vulnerability, an event, I'm going to change, an ownership can trigger it right, or something like that. Then if, let's say, a company has given access to the state of Indiana, CISO or his team to be able to view the continuous monitoring summaries. Then if there is an incident, he's going to get a notification to log in and take a look. So it becomes more of a robust, proactive approach to risk management. And so if you're really trying to leverage GovRAMP to to satisfy that, or be a bigger component in how you manage risk, then you would want to require it, or certainly prefer it. So everybody's in a different place. Some are just beginning to have risk management programs. Some are more mature. And so we, you know, like an example of the more mature in the Commonwealth of Massachusetts, they had a program in place already. So we're really adjunct to it and feed into it. So that's a complicated answer. I'm sorry for rambling there. It just depends on where everyone is.
Sam Hardin:There's no better way to explain it. They're on a spectrum. They're either, you know, fully adopting or working with an adjunct, like you said. So I Yeah, that's a great way to
Leah McGrath:The other thing Sam I can say is I have a full put it. appreciation for sometimes when you're in those seats, you are, your priority is what's on fire? Yes, what is what is hot, hot right now? And so where we've where we've seen those be most successful in the adoption process is when they actually dedicate, like a project manager, to it, because they recognize, hey, I'm going to be putting out fires over here, so I need someone else to kind of keep it moving. But it's, it's, they have a lot on their plates.
Sam Hardin:Well, so Okay, so you've touched on it throughout this, but let's Can we just in the simplest form? Can we just explain, like, how would a vendor or a provider get in touch with start the process, engage with state ramp? And so if we could talk about that first and then on the other side, just the simplest form, how can a state get more involved? Start, you know, getting further on that spectrum with StateRAMP. So I know that's a two part question. I don't need the nitty gritty. Just kind of like, hey, here's simply what you would do,
Leah McGrath:Easiest way, really, for both. But I'll give you two different emails. If a provider wanted to start, they could go to our website, certainly join as a member. And by joining, they're going to get follow up. And we're going to help them through the process. They can also email info@govramp.org or stateramp.org; it's going to go to the same place. So info@stateramp.org or govramp.org and that will connect them. We actually have a membership engagement team, and they would be assigned a dedicated person who can really be their liaison and walk them right through the process. So depending on where they are and where they want to start, we can get them plugged in and, you know, ready to roll. So that's the best place. Government kind of similar. We have a government engagement team, so they can email info if they want, and it's going to get to us or get government engagement team. Very clever, get@govramp.org, for government, and that's going to connect directly with our government engagement directors. All of us come from government on that side, and so they're going to be working with someone who really gets it and understands where they are and what they've gone through. And same thing, they'll just be the liaison to walk them through and meet them where they are.
Sam Hardin:And I can attest to that. We have a liaison here at GL Solutions. She's wonderful. She helps us through all that. So I can certainly attest to that. Thank you for for breaking that down. And so can we? Can I officially just start calling it GovRAMP all the time now?
Leah McGrath:Yes, go for it. I just officially changed my email today to govramp.org. So, yeah, okay,
Sam Hardin:Awesome. Okay. Well, thank you, Leah. I appreciate it so much. Wonderful conversation, and thanks for breaking it down for me.
Leah McGrath:Absolutely. Thank you, Sam.
Announcement:Thanks for listening to this episode of Talkin' SaaS, the podcast of GL Solutions. We'd love to hear your thoughts about today's topic and about the podcast in general. Reach out to us by clicking on the send us a text link right above the episode description and your favorite podcast app via our contact page at GL Aolutions.com forward slash contact, dash us, or on Facebook and x at GL Suite. And you can also connect directly with Sam Hardin and GL Solutions on LinkedIn. If you'd like to stay up to date on the latest news and solutions for regulatory agencies, click the subscribe link at glsolutions.com. Appearance on The Talkin' SaaS podcast does not constitute an endorsement of goods or services. TheTalkin' SaaS podcast is copyrighted by GL Solutions. All rights reserved. Any redistribution or reproduction of part or all of the content is prohibited without express written consent from GL Solutions. The Talkin' SaaS podcast is a production of GL Solutions and is produced in association with Left Brain Right Brain Marketing. You can learn more about GL Solutions at glsolutions.com and Left Brain Right Brain Marketing lbrbm.com.