ShopTalk: CMMC Compliance in Metal Finishing

Host: Dean Halonen, Co-Founder & CRO, Steelhead Technologies Guest: James Bull, IT Manager, Sullivan Precision Metal Finishing

Dean: Welcome, everybody, to ShopTalk. I'm your host, Dean Halonen — one of the co-founders and CRO of Steelhead Technologies.

ShopTalk is a show for those in the manufacturing space who have dedicated their livelihood to the craft of manufacturing. That can span a lot of ground — sales, production, scheduling, execution, quality, shipping. Manufacturing is, in a way, an ecosystem — and very much a team sport. In the job shop world especially, running efficiently is extremely hard.

Today's topic is on the IT side of things. IT is a go/no-go for any business. When it's not working, it's a huge problem. When it is working, it can be a thankless job.

Our special guest today is James Bull from Sullivan Precision Metal Finishing. I've worked with hundreds — if not thousands — of IT people, and James is the best of the best. He's been leading Sullivan through what I'd call a difficult time in the IT space, and we'll get into that here.

Sullivan is based in Sullivan, Missouri. They're a 70-person team focused on high-quality, high-reliability metal finishing since 1979. James joins us with four years of experience in the industry and a wealth of experience from before that. James, welcome to the show.

James: Oh, thank you for having me.

Dean: Let's start with your background — how did you get involved with Sullivan, what you did before, and what Sullivan Precision Metal Finishing really is from your perspective.

James: My credentials aren't that great, honestly. I ended up in this job completely by accident.

I started my IT career here, and it was supposed to be small — just manage a few things. They had a managed service provider they were signing on with, and I was just coming in to manage some odds and ends. The MSP was going to handle our CMMC certification — "sign up and you're done, don't worry about anything."

Well, we started doing some research and found out that wasn't even close to the case. The previous IT guy left, handed me a fat stack of paperwork, and said, "This is everything that needs to be done. I have not read it. Good luck." And left.

I inherited the job after that and have been learning IT as fast as possible — taking classes whenever I can, attempting certifications. But once we started CMMC, the certification time really dropped off. The classes are there, but getting them done is hard considering everything else we have to do.

That's how I ended up here. Before this, I did a wealth of different things. I had a hard time keeping focus, so I'd job hop until I got bored. I did a lot of process improvement work for a silk screening company out of Washington — revamped their entire process, did some 5S implementation — then jumped again because I was losing interest.

Here, with IT and CMMC, there's no lack of interest. Something is constantly going on. It's probably the best job I've landed in — the forever job. So I'm stuck with it. They're stuck with me. Until it gets boring, which it never will.

Dean: That's amazing, James. You jumped straight into the tornado. IT right now feels like a whirlwind — staying ahead of the curve is a full-time job in itself. And I'd say you guys are definitely ahead of the curve on CMMC.

For those who aren't familiar with CMMC or don't live in the 110 or 190 controls every day — can you give a simple version of what CMMC is and why it exists?

James: Sure. CMMC stands for Cybersecurity Maturity Model Certification. It's a mouthful.

It actually started in 2017. It's in your contracts — if you haven't read them, it's there, listed under NIST 800-171 and DFAR 7012. I've been preaching it for three years: it's in your contracts, you just don't know it's there.

What happened is it was originally a contractual obligation handled through self-audit. You reported to the DoD and your customers and said you were beholden to the standards. If you didn't get audited by your customers — and cybersecurity audits rarely happened — nobody questioned it. The DoD eventually found out that roughly 80% of the industry wasn't actually following through with 800-171.

They pulled back what was, arguably, a pretty flawed certification program, rebuilt it, and made it more manageable. It's still intense, but it's better.

At its core, it governs cybersecurity and how information flows through your company. You need to know where every controlled and classified document comes from and where it goes. If you're familiar with HIPAA, it's essentially our industry's version of HIPAA — that's the simplest way to put it.

HIPAA governs how your medical records are handled. Just because one doctor can see your records doesn't mean another doctor can. CMMC works the same way — just because one line worker can view a document doesn't mean another one can. It's about business need versus convenience.

It is a bit more intense than HIPAA — my wife works in the medical field, so I can say that with confidence — but it's the closest analogy. Your medical records are CUI. You are protecting CUI the same way doctors and nurses do. Treat it no differently.

Dean: And on the contracts — so if you look at your contracts under NIST 800-171, is there a callout indicating the contract is CUI? Or if you get a PO tomorrow morning, how do you know whether that print is considered CUI?

James: It should be on the document. It should be on anything that contains controlled or classified information. Most of the time, you'll only see it on schematics, not POs.

We went through a period of trying to determine whether part numbers were going to be considered controlled information. Our current understanding is that they're not — so most of the time, you're only going to see the CUI label on the schematic.

If it's done correctly, it should appear at both the top and bottom of the schematic. It's never done correctly. The industry is still catching up. We've had a lot of communication with our customers — including the primes — who just didn't think CMMC was actually going to happen. They should be labeling documents with the acronym "CUI" and indicating what type — whether it's export controlled, technical data, and so on.

The tricky part is when a prime labels a document, it reaches a customer, and that customer makes copies to send to us for masking or other purposes. Those copies sometimes lose the CUI callout entirely. So right now, it's very hard to tell what's controlled. Our general rule of thumb is: if it's a defense contract, we're 90% certain it's going to be CUI.

The rollout is coming. November 10th is when you should start seeing contracts that require CMMC compliance. If you're not compliant, you can't take the job. And that's also when primes will have to be compliant and when you'll actually start receiving documents that are clearly and consistently labeled as CUI.

Dean: So what is Sullivan's CMMC strategy?

James: Our first step was actually Steelhead — getting rid of paper on the floor. Everything was paper. Nothing happened that wasn't on paper, and I could not see how we could get certified with the archives and the mess that created.

So strategy one was eliminating paper and closing the technology gap we had. When I arrived, one of our systems was still running Windows 7. We updated the technology, then pulled everything away from our MSP, got our data back, and stood up our own systems. From there, we transitioned to software and infrastructure that could be considered CMMC compliant or FedRAMP approved — which is why we switched to Microsoft GCC High.

Part of what led us to choose Steelhead was your work toward FedRAMP approval. That was a major decision-maker for us. It was about making sure everything we do is compliant. Our only real strategy is working with our consultant, Karhu, to make sure everything is covered and all our users are trained.

We actually just had a customer come in to audit us. Our information flow policy states that no documents hit the trash — they go to shredders. They came through, put on gloves, and went through our trash to verify we were following our own policy.

That's the biggest lesson: write your policies and make sure your people follow them, because an auditor is going to do the same thing. He's going to dig through your trash.

Dean: Did you tell them to take it out once they were done digging?

James: If you do find anything, just tie it up and take it out. We'll be fine.

I was shocked. I knew they might do it, but I didn't expect them to be that committed to it.

Dean: New tagline: roll up your sleeves and do the work. So to summarize the strategy — get a digital system like Steelhead to control and log who sees what, get GCC High in place to create a secure enclave around the CUI, and then train your team. You mentioned certain people are trained on how to handle CUI — is that the whole company?

James: Everybody gets the same training on handling CUI. In an ideal world, you'd have departments that don't handle CUI staying out of controlled areas — but that's not realistic here. This company's been running 13–14 years. We have about 80 employees, most of them family members, and everybody wears multiple hats. The maintenance department is working around tanks and touching different parts of the operation.

So we train everybody. They may not be allowed to see or handle the documents, but they all get the same training. We do manage permissions carefully — masking personnel only see masking documents — but everyone understands how to handle CUI if they encounter it.

The other piece is minimizing how much data we keep here. Our strategy has been to own and manage our own data. No one else touches it. When someone else is managing your data, they typically have to be included in your audit scope, which drives up cost. We want to control costs and truly own everything we have.

Microsoft and Steelhead are the two exceptions to that rule. If a system is FedRAMP approved — like Microsoft — it's already been audited. There's nothing to worry about.

Dean: And for context, Steelhead is currently working toward FedRAMP moderate equivalent for December 2026. That will make it easier for operators — credentials can ultimately be held entirely within Steelhead.

What about sharing CUI with customers? How does that side work?

James: We historically used a compliant file sharing service through FileCloud. When we moved to Microsoft GCC High, we knew it would create file-sharing complications. If you're communicating with a customer who isn't in a GCC High environment, you can't share files with them through SharePoint.

There are workarounds, but part of our CMMC strategy is to minimize workarounds. Our position is that if a customer wants to send us CUI, they need to provide their own FedRAMP-approved or equivalent file-sharing service. We can provide one through SharePoint, but we don't go out of our way to announce that — we want them to have their own infrastructure.

We drew that line with a customer just a couple of days ago. They weren't happy at first, but it turned out they already had infrastructure in place — they just didn't want to set it up because they were still working through their own CMMC compliance. We've started requiring customers to bring their own services.

For commercial customers, we're probably going to use Google Workspace, managed the same way we handle our GCC High environment with the same protections. But for DoD work, customers are going to need compliant file sharing anyway — we're offloading that responsibility onto them.

Dean: That covers a lot of the CUI handling — internal storage, transmission, and external sharing. What about the policies, procedures, and training side? That's a big component of actually executing CMMC compliance.

James: It has been a long, drawn-out process.

There's been a lot of ambiguity — what actually constitutes CUI has been unclear until recently. The last major ruling, I believe in December of last year, is when they really put everything in stone. Once we had clarity, we had to go back and rewrite policies we'd drafted when we first signed on with Steelhead that we thought were compliant but weren't.

Some definitions shifted. Some certifications changed. And technology keeps evolving — FIPS 140-2, for example, is going end of life, but it's still temporarily allowed under CMMC. Eventually it won't be, so you'll have to rewrite your encryption policy again. NIST 800-171 just revised as well. We're still certifying against the old revision, and once that's done, we'll have to update all our policies for the new one. Audits are every three years, so we have a window — but it's a lot.

Our onboarding policy alone has gone through five revisions. The access control policy has gone through even more, because we went from an MSP to on-site data, then had a transition policy, and now a new policy specific to our GCC High environment. As new technology is added, it changes again. It's never a finished process.

I'm really glad we have support from Karhu to actually get that work done. We send it to them and they confirm it's solid.

Dean: Karhu has been great for us on the cybersecurity front too. It really is a living, breathing document — as rulings come out and technology changes, you just have to keep updating. What about enforcement and training across the team?

James: The training side is more daunting for employees than anything else. Because there's been so much change during our transition, it creates burnout. "We're doing it this way now. Three months later, this way. Three months after that, this way again." It's hard to convince people that we've finally landed somewhere stable.

In the meantime, we had to draft policies and put protections in place and train everyone, because if anyone looks — an auditor, a customer — we need to be able to show we're doing what we're supposed to be doing. You'll need those policy revisions as evidence during your audit anyway.

The burnout is real. But if we'd started training everyone in the middle of last year, once we had clarity on exactly what we were doing, we could have avoided a lot of the churn. The tradeoff is that we wouldn't have had the documentation trail to prove we were protecting data in the meantime.

The bigger issue at small, family-run shops is accountability. When a policy gets broken, what do you do? Most of the people here are related. What CMMC gives you, though, is flexibility — it tells you what to do, not how to do it. You write the policy to match what your company is actually going to do. You just have to follow it.

A good example: our onboarding policy was originally very strict — I wrote a detailed risk assessment for new employees. We hire a lot of people with criminal histories, and the owner worried that my policy would force them to start firing people. But it's our risk assessment. We get to write it however makes sense for us — we just have to justify the decisions we make. So we drafted it until it worked for everyone. No unnecessary concessions, everyone keeps their job, and the policy is still CMMC compliant.

That was the hardest thing to get management to understand — when I bring a policy, it's a starting point, not the rule. Tell me what to change, and it's okay.

Dean: Quinn from Karhu once told me: "Plan the work and work the plan." And in a way, that's exactly it — just do what you say you're going to do and write it down. That gets you a long way toward compliance.

Speaking of hiring, we had an aerospace shop in Compton, California with a similar approach to second chances. The owner's hiring policy was essentially: "If I don't believe I'll get stabbed by this person, I'll hire them, train them, and monitor their performance." That would probably be a challenge to get through a CMMC audit.

On the audit front — do you have to pass a third-party assessment to get Level 2 certified?

James: Yes. For Level 2, you do have to have a third-party audit. When CMMC originally launched, it was self-attestation. Now you have to hire a third party to come in. It's an expensive and thorough process.

We were relieved to hear it's structured as two stages. First, you submit your paperwork and evidence, and the auditors review it at their facility. If you pass that step, then they come to your facility and verify the physical controls — making sure employees are using their keycards to log in, that your lockout policy is working, that passwords aren't being shared, and that encrypted password storage is in place.

The big fear for most people — and for us — is that your paperwork is going to be your biggest failure. You'll miss something. I realized I hadn't documented exactly how we destroy CUI in our flow control policy. It's spelled out in the assessment guide that you have to specify this — I just missed it. We were worried that small errors like that would cause a fail, and we'd have to pay again with nothing refunded.

Fortunately, that's not how the process works. They'll only come out for the on-site phase after they've approved your documentation first. That should save a significant amount of hassle.

But the on-site audit is thorough. As I said — digging through your trash is something they may actually do.

Dean: This has been a phenomenal walkthrough of the key components of CMMC. Is there anything I missed? Data storage, transmission, the approval process — are those the main pillars?

James: Pretty much. It all comes down to how you act as a custodian of the data. In metal finishing, we don't create the data — our customers do. They're the owners. We're just custodians. That actually makes things slightly easier for us, because we don't have to label or identify the CUI — the customer does that for us.

Identification of CUI is actually a major requirement of CMMC. But for finishers, the customer should have taken care of that — it should be labeled on their documentation. A good portion of the harder work is already handled. What remains is managing the documents: knowing exactly where CUI is, who has it, how it moves through your facility, where it's stored, and who has access.

Dean: And now, shifting to the business side — manufacturing owners across the country are weighing the pros and cons of pursuing CMMC Level 2. You can go the commercial route, or you can make the significant investment in CMMC certification. From your perspective, what's the market feedback been on the ROI?

James: Until early January, it was still up in the air for a lot of people. We were receiving surveys from our customers — Boeing and Lockheed send them out — but none of the smaller companies were doing the same. It felt like it might not actually happen. But we knew it was.

I actually ended up in an accidental conversation with someone on Boeing's IT team. They'd sent out a survey that looked like spam — it asked questions a scammer wouldn't ask, so our CEO reached out to verify it, and that got us connected. And they made it crystal clear — middle of last year — "If you're not compliant when we ask you to be, we will never send you work again. You'll be taken off the approval list."

So we knew it was coming, and we had verification from Boeing. But customers didn't believe us. I get a little vocal, and I got into some heated conversations with customers who were convinced it wasn't going to happen. I told them: you cannot ignore this. It is coming. It's not like version one, where it quietly went away. Too many organizations — including Boeing and Lockheed — have invested too much time and money. Boeing and Lockheed wanted this. They wanted it badly enough that it's going to happen.

Boeing specifically has been pushing for it because once your suppliers are certified, liability shifts. If you have a data leak, it's no longer Boeing's problem — it's squarely yours. You proved you were certified and capable of handling documentation the way the government requires.

There's also historical context. I think the whole thing started when Honeywell accidentally sold parts and documents to other countries. Nothing was preventing them from doing it. That's what kicked this off.

Back to ROI — we started passing some costs on to our customers. We warned them as early as last year that we were going to fully commit to CMMC. Those conversations got heated, because we were essentially telling customers, "We have to be certified — and so do you." It took until about a year ago for most of them to start falling in line.

A good portion of our existing customers decided not to pursue CMMC. But new customers — ones we'd never worked with before who are committed to compliance — are showing up. They're coming in, visiting the shop, asking for copies of our policies and procedures.

We already do about 80% DoD work. We don't anticipate taking on much commercial work going forward. So few of our competitors in this region are going to be CMMC compliant. Our neighbors do sub manufacturing and some metal finishing work — they've flat-out told us they refuse to pursue it. They don't want to invest the money, and the retrofit cost for a building as old as ours is substantial.

On cost: it started at about $150,000 two years ago just to maintain Level 1 compliance. Since then, prices have risen significantly — one license alone jumped 36%. We're now at around $200,000 annually. It is very expensive.

But I think it's worth it. We have customers hunting us down — coming to us, visiting the shop, giving us work specifically because we're working toward compliance. And for customers who decide not to pursue CMMC, commercial work won't justify the cost of coming to us. We've accepted that tradeoff.

Dean: It doesn't take many jobs to pay for it. A couple of new customers could cover it. And you mentioned hitting milestones you'd never hit before.

James: Yes. We're hitting milestones we never thought we'd hit. Back-to-back record months. January through March is normally our slowest period — we would typically do layoffs, cut a few people, and bring them back around April or May. We didn't do any layoffs this year. Not one. Everybody kept their job.

Dean: So compliance pays the bills.

James: Compliance and efficiency both pay the bills.

Dean: Let's take some questions from the live audience. First one is from Quinn at Karhu Cyber: for a shop that now accepts that CUI and CMMC are part of their future, but is still behind the eight ball with the November deadline approaching — what do you know now that you wish you'd known earlier?

James: Unless you have a full internal IT team, do not try to tackle CMMC by yourself.

We have 80 people, and maybe 20 of them are actual PC users. Even at that scale, I could not have managed what we accomplished in this timeframe without a consultant. Without Karhu, we couldn't have done any of it.

When you're drafting policy, you're staring at it for hours — who's going to double-check your work? You need someone technical in your corner. We actually hired an additional IT tech to help, and having a completely separate set of eyes has been invaluable.

CMMC is a different creature. No matter your IT proficiency, it's unlike anything else. You need someone who has specialized in it, who's been through the school of CMMC. In a small shop, you're a jack of all trades — not a specialist. When specialization is required, you have to bring it in.

I wasted a year doing it without help. We drafted policies, went through the MSP transition — all of it. That was wasted time and wasted money. Had we hired a consultant from the start, we'd be a year further along. Get help now. Don't wait until you realize you're in over your head.

Dean: So the takeaway: bring in professionals as early as possible — it's a highly trained second set of eyes that de-risks the investment.

James: Exactly. A lot of our cost is in our GCC High tenant and Karhu's consultation. But there's significant value in what they bring — they have access to tools we're not willing to spend the money on individually. Endpoint protection software we use is extremely expensive at a per-license level. We access it through Karhu. Same with PC inventory management software. Their tooling is part of the value.

Don't try to do it yourself. Whether you're a smaller shop or a mid-sized one — get somebody to help you.

Dean: Totally agree. We use Karhu as well. They're great.

Second question from Quinn: when job shop leaders are deciding whether to invest in modernization, what creates buy-in fastest — margin, visibility, service, scheduling, labor efficiency?

The answer probably varies by shop, but I'll offer my take and turn it over to James.

Everybody has their own pain point — their own "Vietnam," as one of my brothers puts it. For a lot of shops, it's visibility and service. This is a service industry. "If you build it, they will come" — but when they come, you have to deliver. If you're not efficient, they won't come back, regardless of what certifications you hold. At Steelhead, we obsess over on-time delivery. All the great customers in the world don't matter if you can't spin a quality product at a fair price and in the timeline you promised.

What's been your experience at Sullivan?

James: Contract review and certifications were our worst areas when we came on board. In December of that first year, our contract review department still had contracts from November that hadn't been touched. It took days to plan new parts. The system was paper-based — it would spit out a 50-page work order that traveled across the floor.

New parts: days to plan. Parts we already had in the system: 30 to 50 minutes to plan.

Now, even with significantly more customers and more work, there is not a single document sitting in the inbox. At most, it takes 20 minutes from a part landing on contract review's desk to going out onto the floor. That has never happened here before.

It got to a point around August of last year where I got pulled into a conversation about the "lack of work" — because there was nothing sitting on contract review's desk. We pulled up Steelhead and said, "Here's the work. Look at our old system — we just did that same volume. It's just not piling up in front of your face. It's gone. It left."

Before Steelhead, we had trucks showing up to pick up unfinished parts — customers just taking them somewhere else. That doesn't happen anymore. We have very happy customers. Stuff just gets done, and gets done so much faster.

Certification was a nightmare before. Our certification department had no way to verify what actually happened on the floor — whatever was on the paper was the truth, even if it wasn't. Once we rolled out Steelhead, that changed.

At first, it felt like Steelhead was exposing how bad things were. But it wasn't Steelhead's fault — nobody was doing things right to begin with. We can just prove it now.

Our certification department now catches errors before parts leave the facility. They don't need technical knowledge — they go into the system, check the times against spec, and they can tell if something went over the prescribed limit. "Oh, this accidentally went over two hours — it needs to be stripped." Send it back, redo the work, repaint it, out the door. We used to have customers catching those errors for us. Now we catch them first. Reworks went down. Efficiency went up dramatically.

Dean: That's a flywheel — lots of small things all working together, processing faster, parts going out faster, leading to record months. It's a testament to the hard work across the whole company.

Another question from Quinn: where should a shop focus first when starting their CMMC journey, so they don't waste money on the wrong things?

James: Self-assessment. Find your consultant and start your self-assessment immediately.

And be honest. Don't mark something as in progress when it's actually failing — if it fails now, it'll fail later. Do your self-assessment and be completely honest about what deficiencies you have right now, not what you plan to fix eventually. Put it on paper. That is your starting point — the only place to start.

You have no idea what you're actually deficient in until you have it in front of you. The self-assessment takes a long time and it is a humbling experience. The highest score in CMMC is 110. The lowest is around negative 200-something. When you think you're at 70 and your self-assessment comes back at negative 100 — that's your reality check. "Oh, I wasn't doing as well as I thought."

That assessment sets up everything else: how much money you'll need to spend, what equipment you'll need, what policies you have to draft.

Dean: And a question from Solomon: you've made this marathon effort and achieved Level 2 approval. How do you let the world know?

James: We're not big on social media here — but that's something we've recently changed because of this. We now have someone on-site building a website that will display our CMMC certification. You have to be careful about what you put on there — there are rules around how certifications can be presented — but we want it visible.

We're also sending that person out to visit our customers in person, delivering proof that we're certified. If they're certified, we're certified, and we want their business.

Knocking on doors and letting people know is our best bet, especially for local customers. Word of mouth, proof in person.

Dean: Absolutely — especially for local customers. And last question, from Jeff: you mentioned time savings on contract review, order entry, and cert generation. With all that time freed up — are people going golfing at noon, James?

James: A lot of that "saved time" was overtime.

Our contract review department was working six, seven days a week. Burnout was real. People were breaking down. There were days the certification department just called in — "I can't make it today." The stress of interactions with customers and colleagues in that environment was that bad.

Now, overtime is practically gone. When we do have it, it's planned ahead. We know what's coming in because our drivers have tablets running Steelhead — they log everything they're bringing in. Sometimes contract review has parts planned before they even arrive. When there's weekend work, it's two hours on a Saturday and done.

The inability to go home and spend time with family was a breaking point for a lot of new employees — and was starting to break current employees too. That's done. People don't work until 7 PM anymore. They're not coming in on Saturdays and Sundays unless they want to.

And the increase in work didn't create a surplus of idle time — we're busier than ever. Work goes out the door. The overtime just stopped.

Dean: That's incredible. We actually had a customer out of Milwaukee, a shop owner named Dan Hernandez — amazing guy — who said the biggest change since buying Steelhead is that he's home with his wife and kids on Saturdays. He used to spend every Saturday catching up on paperwork. Some things are more than just dollars.

Last question, from Craig: if you're starting a new shop with limited capital, would you prioritize quality, speed, and getting the business running — or would you prioritize getting CMMC compliant first?

James: That's a tough one. I can't speak to it with certainty, but here's how I think about it.

First, look at your competition. If your competitors aren't going to be CMMC compliant, start your certification process anyway. It's going to dictate the equipment you buy — any automated equipment has to be compliant, along with the network connections to that equipment and everything running it. You need to think about compliance before deciding what to purchase or how to build out your network.

On the other hand, if your customers and competitors are staying commercial and not pursuing compliance, don't bother yet. Focus on quality and everything else. Here's why: shops that are pursuing CMMC are having to raise their prices to cover the costs. If you're just doing commercial work and not dealing with compliance costs, you can beat them on price. Their commercial customers may drift to you — while the compliant shops focus on DoD work.

You may find that the commercial work at non-compliant shops dries up as they price themselves out of that market to cover their compliance investment. There's opportunity in that gap.

Dean: James, thank you so much for taking the time. We went over — but I think it was worth every minute for the industry.

You're a leader not just at Sullivan, but in manufacturing at large. The vast majority of shops I see are behind where you are. You're setting the table for what "great" looks like. Thanks for sharing your expertise, because we need everybody to stand up and deliver together for this to really work.

If you're in the Missouri area looking for a great metal finishing supplier — one who has the compliance attached — reach out to Sullivan Precision Metal Finishing. James and his team will take care of you.

James: Thank you very much for having me.

Dean: Thanks, James. Take care. Thanks, everybody. Have a great day.