1 1 00:00:00,000 --> 00:00:00,930 In this lesson, 2 2 00:00:00,930 --> 00:00:04,200 we're going to talk about step one in the real world. 3 3 00:00:04,200 --> 00:00:06,420 Now, step one is the Prepare step. 4 4 00:00:06,420 --> 00:00:08,640 The purpose of the Prepare step is to carry out 5 5 00:00:08,640 --> 00:00:10,770 essential activities to help prepare all levels 6 6 00:00:10,770 --> 00:00:12,900 of the organization to manage its security 7 7 00:00:12,900 --> 00:00:15,390 and privacy risks using the RMF 8 8 00:00:15,390 --> 00:00:17,160 or risk management framework. 9 9 00:00:17,160 --> 00:00:18,870 Now as we move through step one, 10 10 00:00:18,870 --> 00:00:21,480 we are trying to achieve five key outcomes. 11 11 00:00:21,480 --> 00:00:23,040 First, we want to ensure that 12 12 00:00:23,040 --> 00:00:25,200 key risk management roles are identified. 13 13 00:00:25,200 --> 00:00:27,450 Second, we want to ensure that organizational 14 14 00:00:27,450 --> 00:00:29,640 risk management strategies have been established 15 15 00:00:29,640 --> 00:00:32,010 and that the risk tolerance has been determined. 16 16 00:00:32,010 --> 00:00:34,470 Third, we want to ensure that an organization-wide 17 17 00:00:34,470 --> 00:00:36,360 risk assessment has occurred. 18 18 00:00:36,360 --> 00:00:39,210 Fourth, we want to ensure an organizational-wide strategy 19 19 00:00:39,210 --> 00:00:40,320 for continuous monitoring 20 20 00:00:40,320 --> 00:00:42,480 has been developed and implemented. 21 21 00:00:42,480 --> 00:00:43,980 And fifth, we want to ensure 22 22 00:00:43,980 --> 00:00:46,650 that common controls have been identified. 23 23 00:00:46,650 --> 00:00:49,320 Now, when we start thinking about this preparation step 24 24 00:00:49,320 --> 00:00:51,120 you're going to be going in and digging deep 25 25 00:00:51,120 --> 00:00:52,800 into what you actually want to accomplish 26 26 00:00:52,800 --> 00:00:55,410 during your risk management framework steps. 27 27 00:00:55,410 --> 00:00:56,730 Now, I like to think about this 28 28 00:00:56,730 --> 00:00:59,010 as having a step before the preparation step 29 29 00:00:59,010 --> 00:01:01,350 but a lot of organizations will combine all of this 30 30 00:01:01,350 --> 00:01:03,840 into that first step of preparation. 31 31 00:01:03,840 --> 00:01:06,090 Really, you're going to start looking at your system 32 32 00:01:06,090 --> 00:01:07,590 as a system of systems, 33 33 00:01:07,590 --> 00:01:09,510 and then you're going to look at the left and right limits 34 34 00:01:09,510 --> 00:01:10,920 that may be placed on you 35 35 00:01:10,920 --> 00:01:12,120 that you're going to have to operate within 36 36 00:01:12,120 --> 00:01:14,820 as you're going through this RMF process. 37 37 00:01:14,820 --> 00:01:17,190 Part of this is ensuring you understand who the people are 38 38 00:01:17,190 --> 00:01:20,100 in your organization that are going to be using RMF. 39 39 00:01:20,100 --> 00:01:21,660 You also need to identify what roles 40 40 00:01:21,660 --> 00:01:23,040 those people are going to have, 41 41 00:01:23,040 --> 00:01:24,600 and you're going to have to determine 42 42 00:01:24,600 --> 00:01:28,110 who is your senior risk official or the risk executive 43 43 00:01:28,110 --> 00:01:30,180 that is going to be the person who is going to be 44 44 00:01:30,180 --> 00:01:31,860 overseeing this entire process 45 45 00:01:31,860 --> 00:01:34,500 and eventually making that go/no-go decision 46 46 00:01:34,500 --> 00:01:36,810 of whether or not your ATO will be approved 47 47 00:01:36,810 --> 00:01:39,000 or whether it's going to be denied. 48 48 00:01:39,000 --> 00:01:40,620 By taking a look at all of these things 49 49 00:01:40,620 --> 00:01:42,660 you're going to be able to set yourself up for success 50 50 00:01:42,660 --> 00:01:44,490 and identify any issues or barriers 51 51 00:01:44,490 --> 00:01:46,560 that may stop you from gaining that ATO 52 52 00:01:46,560 --> 00:01:49,800 and that authority to operate as part of the RMF process. 53 53 00:01:49,800 --> 00:01:51,870 For example, if you're looking at a project 54 54 00:01:51,870 --> 00:01:53,910 that has to do with some kind of a legal issue, 55 55 00:01:53,910 --> 00:01:55,110 you need to be aware of that 56 56 00:01:55,110 --> 00:01:57,750 and understand what legal constraints may exist. 57 57 00:01:57,750 --> 00:02:00,600 For example, let's say you're processing credit card data, 58 58 00:02:00,600 --> 00:02:02,940 that would fall under PCI DSS. 59 59 00:02:02,940 --> 00:02:05,250 If instead, you're processing healthcare data 60 60 00:02:05,250 --> 00:02:07,170 that might fall under HIPAA. 61 61 00:02:07,170 --> 00:02:09,060 Either of these cases, there's going to be rules, 62 62 00:02:09,060 --> 00:02:11,700 regulations and laws that you're going to have to follow 63 63 00:02:11,700 --> 00:02:13,740 to ensure you're protecting that data properly 64 64 00:02:13,740 --> 00:02:16,050 and to identify that here in the preparation stage 65 65 00:02:16,050 --> 00:02:18,000 is going to be critical to your success 66 66 00:02:18,000 --> 00:02:19,560 as you move through the rest of the steps 67 67 00:02:19,560 --> 00:02:21,330 in the RMF process. 68 68 00:02:21,330 --> 00:02:23,520 Additionally, you want to make sure you're identifying 69 69 00:02:23,520 --> 00:02:25,830 who has the appropriate rank and title 70 70 00:02:25,830 --> 00:02:28,500 to be able to make that approval decision for you. 71 71 00:02:28,500 --> 00:02:30,630 For example, RMF is used a lot 72 72 00:02:30,630 --> 00:02:32,820 inside of the military and government sectors. 73 73 00:02:32,820 --> 00:02:35,670 So if you're working in a military environment 74 74 00:02:35,670 --> 00:02:37,500 there's going to be a certain level or rank 75 75 00:02:37,500 --> 00:02:39,150 that's going to be associated with the person 76 76 00:02:39,150 --> 00:02:41,610 who has the approval to create that ATO 77 77 00:02:41,610 --> 00:02:43,320 for your RMF package. 78 78 00:02:43,320 --> 00:02:46,650 In most organizations, this will be a rather senior officer 79 79 00:02:46,650 --> 00:02:48,210 inside of a military contract 80 80 00:02:48,210 --> 00:02:51,450 or a senior executive in the civilian government service. 81 81 00:02:51,450 --> 00:02:53,370 Either way, during the preparation stage, 82 82 00:02:53,370 --> 00:02:55,920 it's really important to identify who that person is. 83 83 00:02:55,920 --> 00:02:57,450 So as you're building out your package 84 84 00:02:57,450 --> 00:02:59,400 you can make sure you're checking all the boxes 85 85 00:02:59,400 --> 00:03:01,140 so they can give you the approval to operate 86 86 00:03:01,140 --> 00:03:03,480 at the end of this RMF process. 87 87 00:03:03,480 --> 00:03:05,730 So as you're working through the preparation step 88 88 00:03:05,730 --> 00:03:07,860 it's important to realize that this is a lot of pre-work 89 89 00:03:07,860 --> 00:03:08,760 that you're going to be doing 90 90 00:03:08,760 --> 00:03:10,500 before you even start diving deep 91 91 00:03:10,500 --> 00:03:13,050 into all the different concepts of RMF. 92 92 00:03:13,050 --> 00:03:14,400 And this is really the big picture. 93 93 00:03:14,400 --> 00:03:16,080 When I think about what is happening 94 94 00:03:16,080 --> 00:03:17,820 in the preparation step, 95 95 00:03:17,820 --> 00:03:19,050 I like to think about the fact 96 96 00:03:19,050 --> 00:03:21,270 that we're understanding the hierarchies of our systems, 97 97 00:03:21,270 --> 00:03:22,560 that we understand the big picture 98 98 00:03:22,560 --> 00:03:24,600 and we understand how everything is interconnected. 99 99 00:03:24,600 --> 00:03:26,220 For example, let's say you're working 100 100 00:03:26,220 --> 00:03:27,870 at a multinational corporation 101 101 00:03:27,870 --> 00:03:29,580 and there's going to be six different sites 102 102 00:03:29,580 --> 00:03:31,260 that are underneath your control. 103 103 00:03:31,260 --> 00:03:33,720 So when you're thinking about the preparation step 104 104 00:03:33,720 --> 00:03:35,790 are you going to be looking at the entire organization, 105 105 00:03:35,790 --> 00:03:37,710 including all six of those locations, 106 106 00:03:37,710 --> 00:03:40,440 or are we only looking at one of those locations 107 107 00:03:40,440 --> 00:03:42,360 and the other five are not going to be affected by 108 108 00:03:42,360 --> 00:03:44,430 this particular RMF process? 109 109 00:03:44,430 --> 00:03:46,410 Again, there is no right answer here 110 110 00:03:46,410 --> 00:03:48,450 and it really does depend on your organization 111 111 00:03:48,450 --> 00:03:50,610 and the system that you're trying to gain an ATO 112 112 00:03:50,610 --> 00:03:52,050 or approval to operate for. 113 113 00:03:52,050 --> 00:03:54,720 And so it's important to identify this all the way back here 114 114 00:03:54,720 --> 00:03:56,910 in step one as part of the preparation stage 115 115 00:03:56,910 --> 00:03:58,830 so you know what systems are going to be included 116 116 00:03:58,830 --> 00:04:02,010 as part of this RMF package and which ones are not. 117 117 00:04:02,010 --> 00:04:03,360 Another thing that we're going to be looking at 118 118 00:04:03,360 --> 00:04:05,550 is this concept of common controls, 119 119 00:04:05,550 --> 00:04:06,600 and this is one of those things 120 120 00:04:06,600 --> 00:04:08,160 that I really wish people did more of 121 121 00:04:08,160 --> 00:04:10,620 at the beginning of their RMF process. 122 122 00:04:10,620 --> 00:04:11,940 If you start looking at your different 123 123 00:04:11,940 --> 00:04:13,290 categories of controls, 124 124 00:04:13,290 --> 00:04:15,870 you can see things like traditional security controls. 125 125 00:04:15,870 --> 00:04:16,920 This would include things like 126 126 00:04:16,920 --> 00:04:18,720 do you have the right locks on your doors? 127 127 00:04:18,720 --> 00:04:20,190 Do you have the right security cameras? 128 128 00:04:20,190 --> 00:04:21,870 Do you have the right fire suppression systems? 129 129 00:04:21,870 --> 00:04:23,400 And other things like that. 130 130 00:04:23,400 --> 00:04:25,920 All of these things would be traditional security controls 131 131 00:04:25,920 --> 00:04:27,150 that you're going to have as a set 132 132 00:04:27,150 --> 00:04:29,460 of common controls in your data center. 133 133 00:04:29,460 --> 00:04:30,480 In addition to that, 134 134 00:04:30,480 --> 00:04:31,770 you may have some things that have to do 135 135 00:04:31,770 --> 00:04:34,110 with availability inside of the CIA triad 136 136 00:04:34,110 --> 00:04:36,870 or confidentiality, such as different encryption techniques 137 137 00:04:36,870 --> 00:04:38,910 that you may be using as part of the system. 138 138 00:04:38,910 --> 00:04:41,250 And as you go through each of these different areas, 139 139 00:04:41,250 --> 00:04:44,490 thinking about the confidentiality, integrity, availability 140 140 00:04:44,490 --> 00:04:48,690 identification, authorization, authentication and access, 141 141 00:04:48,690 --> 00:04:50,790 these are all things that are going to have to be considered 142 142 00:04:50,790 --> 00:04:52,350 as part of your common controls 143 143 00:04:52,350 --> 00:04:54,570 because a lot of this is going to be inherited 144 144 00:04:54,570 --> 00:04:56,880 from other systems or other locations 145 145 00:04:56,880 --> 00:04:59,910 that that system is connected to or operating within. 146 146 00:04:59,910 --> 00:05:02,040 Another issue you may have to consider is the fact 147 147 00:05:02,040 --> 00:05:04,050 that there may be some things that are going to happen 148 148 00:05:04,050 --> 00:05:06,000 at different sites in different ways 149 149 00:05:06,000 --> 00:05:08,190 but they're going to achieve the same objective. 150 150 00:05:08,190 --> 00:05:09,600 For example, let's say that 151 151 00:05:09,600 --> 00:05:11,130 I'm working in a military context 152 152 00:05:11,130 --> 00:05:13,200 and everybody's going to have to have a secret 153 153 00:05:13,200 --> 00:05:14,520 or a top secret clearance 154 154 00:05:14,520 --> 00:05:16,620 in order to work in this data center. 155 155 00:05:16,620 --> 00:05:18,510 Well, depending on which service they're in, 156 156 00:05:18,510 --> 00:05:21,150 whether they're Navy, Army, Air Force, or Marines, 157 157 00:05:21,150 --> 00:05:23,340 they may go through a different background process 158 158 00:05:23,340 --> 00:05:25,050 even though they're using similar forms 159 159 00:05:25,050 --> 00:05:26,550 and similar processes 160 160 00:05:26,550 --> 00:05:28,890 because this operates in a different way in each place. 161 161 00:05:28,890 --> 00:05:30,120 You have to take that into account 162 162 00:05:30,120 --> 00:05:32,940 as you're building out your controls inside of RMF. 163 163 00:05:32,940 --> 00:05:34,830 And the reason for this is you have to decide 164 164 00:05:34,830 --> 00:05:37,200 are those four services doing the same thing 165 165 00:05:37,200 --> 00:05:38,610 and achieving the same outcome? 166 166 00:05:38,610 --> 00:05:40,350 And do we consider that equivalent? 167 167 00:05:40,350 --> 00:05:42,720 Now, in the case of the US government and the military, 168 168 00:05:42,720 --> 00:05:44,700 they do consider a security clearance from one branch, 169 169 00:05:44,700 --> 00:05:46,740 such as the Army, to be equivalent to that 170 170 00:05:46,740 --> 00:05:48,360 that's being issued by another branch, 171 171 00:05:48,360 --> 00:05:51,000 such as the Navy or the Marines or the Air Force. 172 172 00:05:51,000 --> 00:05:53,700 And so in this case, those are all considered equivalencies 173 173 00:05:53,700 --> 00:05:56,670 and they become a way to use those as a common control 174 174 00:05:56,670 --> 00:05:58,800 around the personal security that would be applied 175 175 00:05:58,800 --> 00:06:01,080 to all of our systems inside of our data center 176 176 00:06:01,080 --> 00:06:03,600 because all the people working on all of those systems 177 177 00:06:03,600 --> 00:06:06,030 do have a security clearance at a certain level 178 178 00:06:06,030 --> 00:06:09,030 and therefore, they're authorized to work on those systems. 179 179 00:06:09,030 --> 00:06:11,760 And this also brings us to the concept of inheritance. 180 180 00:06:11,760 --> 00:06:13,200 Now, when it comes to inheritance, 181 181 00:06:13,200 --> 00:06:14,640 these are the things that you're going to be able to 182 182 00:06:14,640 --> 00:06:16,980 assume inside of your RMF package 183 183 00:06:16,980 --> 00:06:20,130 because you're inheriting them from a higher level control. 184 184 00:06:20,130 --> 00:06:21,030 For example, 185 185 00:06:21,030 --> 00:06:22,680 let's say I'm going to be putting your system 186 186 00:06:22,680 --> 00:06:24,420 inside of my data center. 187 187 00:06:24,420 --> 00:06:25,980 Well, if it's my data center, 188 188 00:06:25,980 --> 00:06:27,270 I'm going to be the one responsible 189 189 00:06:27,270 --> 00:06:29,970 for doing all the physical security, all the availability 190 190 00:06:29,970 --> 00:06:32,100 and all of the redundancy in our systems. 191 191 00:06:32,100 --> 00:06:34,650 So you're going to be able to inherit all of those controls 192 192 00:06:34,650 --> 00:06:37,260 that I create as part of your RMF package 193 193 00:06:37,260 --> 00:06:39,750 because your server is sitting in my data center. 194 194 00:06:39,750 --> 00:06:41,820 And that's the idea of inheritance here. 195 195 00:06:41,820 --> 00:06:42,810 If you're inheriting things 196 196 00:06:42,810 --> 00:06:44,700 from another system that is great 197 197 00:06:44,700 --> 00:06:46,350 and you just need to make sure you document that 198 198 00:06:46,350 --> 00:06:48,457 inside of your RMF package to say, 199 199 00:06:48,457 --> 00:06:50,310 "My boundaries are now smaller 200 200 00:06:50,310 --> 00:06:51,930 because everything outside of my boundaries 201 201 00:06:51,930 --> 00:06:53,460 are things that I'm going to be collecting 202 202 00:06:53,460 --> 00:06:56,280 from my inherited controls, such as my physical security 203 203 00:06:56,280 --> 00:06:59,130 or confidentiality, integrity and availability 204 204 00:06:59,130 --> 00:07:01,710 that's put in place at the data center level." 205 205 00:07:01,710 --> 00:07:04,327 So as you start looking at this, you could say things like, 206 206 00:07:04,327 --> 00:07:07,260 "Everybody that works on my systems has already been vetted 207 207 00:07:07,260 --> 00:07:08,940 and authorized to work on those systems 208 208 00:07:08,940 --> 00:07:10,710 because they have a top secret clearance 209 209 00:07:10,710 --> 00:07:12,300 and this is a top secret facility, 210 210 00:07:12,300 --> 00:07:14,700 so I don't need to go and check that again 211 211 00:07:14,700 --> 00:07:16,290 and run another background check. 212 212 00:07:16,290 --> 00:07:18,690 Instead, I could check if their clearance is still active 213 213 00:07:18,690 --> 00:07:20,430 and valid and hasn't expired. 214 214 00:07:20,430 --> 00:07:22,230 And as long as all three of those things are true, 215 215 00:07:22,230 --> 00:07:24,630 we can say we've now met this requirement for this control 216 216 00:07:24,630 --> 00:07:27,750 because we inherited that by hiring only trained personnel 217 217 00:07:27,750 --> 00:07:29,490 that were already in a cleared facility 218 218 00:07:29,490 --> 00:07:31,410 taking care of other systems." 219 219 00:07:31,410 --> 00:07:33,780 Now, when I use a cloud provider, on the other hand, 220 220 00:07:33,780 --> 00:07:35,370 they're going to be operating on what's known as 221 221 00:07:35,370 --> 00:07:37,380 a shared responsibility model. 222 222 00:07:37,380 --> 00:07:40,110 For example, if I'm using Amazon Web Services 223 223 00:07:40,110 --> 00:07:42,270 and I use something like an S3 bucket, 224 224 00:07:42,270 --> 00:07:44,730 that's a place where I can store objects in the cloud 225 225 00:07:44,730 --> 00:07:46,830 but I'm actually inheriting all the controls 226 226 00:07:46,830 --> 00:07:48,540 that Amazon already has in place, 227 227 00:07:48,540 --> 00:07:51,420 like their data center, their security, their availability, 228 228 00:07:51,420 --> 00:07:53,100 their confidentiality, their integrity, 229 229 00:07:53,100 --> 00:07:54,570 and all of those things. 230 230 00:07:54,570 --> 00:07:57,300 Conceptually, this is an example of inheriting controls 231 231 00:07:57,300 --> 00:07:59,460 in a cloud environment, and it works the same way, 232 232 00:07:59,460 --> 00:08:01,470 whether you're going into a commercial data center, 233 233 00:08:01,470 --> 00:08:04,530 such as AWS, Azure, or Google Cloud, 234 234 00:08:04,530 --> 00:08:07,350 or you're moving into a government or military data center 235 235 00:08:07,350 --> 00:08:09,450 that works as a private cloud model. 236 236 00:08:09,450 --> 00:08:10,770 Either way, you're going to be able to 237 237 00:08:10,770 --> 00:08:12,180 inherit some controls. 238 238 00:08:12,180 --> 00:08:13,800 It's important you identify what those are 239 239 00:08:13,800 --> 00:08:15,030 so you're not repeating those 240 240 00:08:15,030 --> 00:08:17,010 and creating more work for yourself. 241 241 00:08:17,010 --> 00:08:18,990 Also, the last thing that we have to think about 242 242 00:08:18,990 --> 00:08:20,880 in terms of this Prepare step 243 243 00:08:20,880 --> 00:08:22,140 is the fact that we have to understand 244 244 00:08:22,140 --> 00:08:23,760 who has access to do what. 245 245 00:08:23,760 --> 00:08:25,830 And this means we need to figure out the roles 246 246 00:08:25,830 --> 00:08:28,920 of the different people involved in the RMF process. 247 247 00:08:28,920 --> 00:08:31,020 Now, we've talked previously about authorizing officials 248 248 00:08:31,020 --> 00:08:32,820 but there's lots of other roles out there 249 249 00:08:32,820 --> 00:08:34,590 like the information system owner, 250 250 00:08:34,590 --> 00:08:36,120 the information system auditor, 251 251 00:08:36,120 --> 00:08:38,970 the information system assessors, and things like that. 252 252 00:08:38,970 --> 00:08:41,250 So as we go through our Prepare step, 253 253 00:08:41,250 --> 00:08:43,530 our job is to identify all of those people 254 254 00:08:43,530 --> 00:08:46,140 and ensure we understand who's on the hook for what things 255 255 00:08:46,140 --> 00:08:48,600 and when in the process are they going to be called upon 256 256 00:08:48,600 --> 00:08:50,010 to do those things. 257 257 00:08:50,010 --> 00:08:52,110 Because if you choose the wrong people 258 258 00:08:52,110 --> 00:08:53,640 and you're on a tight timeline, 259 259 00:08:53,640 --> 00:08:55,410 you can actually cause a lot of problems for yourself 260 260 00:08:55,410 --> 00:08:57,210 down the road because the person you chose 261 261 00:08:57,210 --> 00:08:59,250 as your authorizing official, for example, 262 262 00:08:59,250 --> 00:09:01,050 may be going on vacation for a month 263 263 00:09:01,050 --> 00:09:02,970 or on a work trip for a couple of weeks 264 264 00:09:02,970 --> 00:09:05,100 and that can significantly delay your project 265 265 00:09:05,100 --> 00:09:07,020 as it's going through the RMF process 266 266 00:09:07,020 --> 00:09:09,030 because you selected the wrong people. 267 267 00:09:09,030 --> 00:09:11,280 Also, as you've identified these people 268 268 00:09:11,280 --> 00:09:12,450 I want you to start going out 269 269 00:09:12,450 --> 00:09:15,360 and building relationships with them as soon as possible. 270 270 00:09:15,360 --> 00:09:17,280 This means you should reach out to those people 271 271 00:09:17,280 --> 00:09:18,810 and start a conversation. 272 272 00:09:18,810 --> 00:09:20,580 Let them know that your RMF package 273 273 00:09:20,580 --> 00:09:22,110 is going to be coming through the process 274 274 00:09:22,110 --> 00:09:25,470 and they've been identified to have X role in this project. 275 275 00:09:25,470 --> 00:09:27,930 By doing this, you can basically grease the skids 276 276 00:09:27,930 --> 00:09:29,400 and start shortening your timeline 277 277 00:09:29,400 --> 00:09:31,890 because people are going to be expecting to see your package 278 278 00:09:31,890 --> 00:09:33,510 as it's moving through the process. 279 279 00:09:33,510 --> 00:09:35,017 And like the old saying goes, 280 280 00:09:35,017 --> 00:09:36,900 "The squeaky wheel gets the grease." 281 281 00:09:36,900 --> 00:09:39,840 So if you are that person who's already reached out to them 282 282 00:09:39,840 --> 00:09:41,700 and they're expecting your RMF package, 283 283 00:09:41,700 --> 00:09:43,020 they're going to be keeping an eye out for it 284 284 00:09:43,020 --> 00:09:44,820 and they may be able to move it up in the queue 285 285 00:09:44,820 --> 00:09:47,010 so your RMF package can get attention quicker 286 286 00:09:47,010 --> 00:09:48,360 and hopefully move through the process 287 287 00:09:48,360 --> 00:09:49,860 in a more timely manner. 288 288 00:09:49,860 --> 00:09:51,810 Remember, during our first step, 289 289 00:09:51,810 --> 00:09:53,370 it's all about getting prepared 290 290 00:09:53,370 --> 00:09:54,720 and that's really in the name of this 291 291 00:09:54,720 --> 00:09:56,640 because the whole process is really there 292 292 00:09:56,640 --> 00:09:58,470 to make sure that the rest of our processes 293 293 00:09:58,470 --> 00:10:00,870 and our steps as we move through the seven step model 294 294 00:10:00,870 --> 00:10:03,450 is going to work very efficiently and smoothly 295 295 00:10:03,450 --> 00:10:04,283 because we've done all 296 296 00:10:04,283 --> 00:10:07,700 of our preparation work here in step one.