From Monthly Scans to Continuous Monitoring: Mastering FedRAMP Vulnerability Management Artwork

Behind the Shield

Behind the Shield is InfusionPoints’ podcast where we sit down with partners, customers, and industry leaders to talk about FedRAMP, compliance, and cybersecurity in today’s government landscape. Each episode offers laid-back, insightful conversations that blend expertise with real-world experiences.

All Episodes

Behind the Shield

From Monthly Scans to Continuous Monitoring: Mastering FedRAMP Vulnerability Management

April 07, 2026 • InfusionPoints • Season 1 • Episode 27

0:00 | 31:09

n this episode of Behind the Shield, hosted by Mike Strohecker, the Cloud Operations team at InfusionPoints dives into the realities of vulnerability management in FedRAMP environments.

Mike is joined by Ryan Adcock and James Bolton from the Cloud Operations team, where they support customers operating in FedRAMP High and IL5 environments. Together, they break down what it really takes to maintain compliance through continuous monitoring and why strong vulnerability management practices are critical to keeping an authorization in place.

This conversation goes beyond high-level compliance talk and gets into the day-to-day execution. From running scans and managing vulnerabilities to maintaining accurate inventories and communicating with engineering teams, the group shares what actually happens behind the scenes to keep systems secure and compliant.

They also explore how vulnerability management is evolving. What used to be a monthly exercise is shifting into a continuous, always-on process. With the introduction of Vulnerability Detection and Response, organizations are expected to move faster, respond smarter, and understand their environments at a much deeper level.

If you are a Cloud Service Provider, security professional, or part of a team working toward or maintaining FedRAMP authorization, this episode provides practical insight into what works, what does not, and what is coming next.

Chapters:
0:00 Introduction and Guest Backgrounds
2:35 Vulnerability Management and Compliance
5:24 Continuous Monitoring and Best Practices
12:01 Understanding Customer Environments
17:34 VADR and Continuous Monitoring
23:03 Prevention and Security Improvements
27:15 Communication and Closing Remarks

What You’ll Learn

• What continuous monitoring requires in a FedRAMP environment and how it impacts your daily operations
• The different types of vulnerability scans including OS, database, container, and web application scans
• How Plans of Action and Milestones are used to track and report vulnerabilities
• Key remediation timelines and why meeting them is essential to maintaining authorization
• Why authenticated scans are necessary and where many organizations struggle
• Common challenges when scanning containers and web applications
• The importance of maintaining an accurate asset inventory and avoiding blind spots
• How communication between security and engineering teams improves remediation timelines
• What changes are coming with Vulnerability Detection and Response and continuous scanning expectations
• How automation and risk-based decision making are shaping the future of FedRAMP compliance

InfusionPoints Links:
Mike Strohecker, VP of Engineering and Operations: https://www.linkedin.com/in/michael-strohecker-238326172/
Ryan Adcock, Cloud Operations / Senior Consultant:
https://www.linkedin.com/in/ryanaadcock/
James Bolton, Cloud Operations / Senior Consultant:
https://www.linkedin.com/in/james-bolton-cyber/
https://www.linkedin.com/company/infusionpoints/
https://www.InfusionPoints.com
https://infusionpoints.com/contact-us

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.

SPEAKER_02 0:09

Hello, welcome to our next episode of Behind the Shield. I am Mike Strohecker, joined by I'm Ryan Adcock.

SPEAKER_00 0:17

I work on the cloud operations team here at Infusion Points, helping customers in up to FedRamp High and IO5 environments with their continuous monitoring programs.

SPEAKER_01 0:28

And I'm James Bolton, also on the cloud operations team, and I do the exact same thing as Ryan. Fantastic.

SPEAKER_02 0:36

So I know most of our audiences met Ryan before on one of our previous podcasts, assuming they're all following us, which I hope you are. But I doubt many of you have met James. So James, why don't you give us a little bit of history, what brought you to Infusion Points, kind of your path to get here, and um some of the unique things that you bring to the table here?

SPEAKER_01 0:57

Yeah. So uh again, James Bolton here. Um started my journey. Let's see, I spent 12 years in the Air Force um doing doing a mix of things. Um, started out in medical and then actually transitioned into the IT world um while I was in. Uh ended up doing some SOC work, so more tier one, tier two SOC analyst work in SCIFS. And then after that, um, when I got PCS or moved, I ended up taking over a vulnerability management team. And I did that for a few years. Um, and then I ended up transitioning out of the Air Force. And at that time, uh I was uh able to join Northrop Grumman. Uh I joined them and did more Windows System Administration work, um networking, um, that type of stuff. And then after that, I joined the USDA Forest Service, um, where I actually joined their vulnerability management team. And um that was a lot of work, uh, about 40,000 employees, so you can only imagine how many devices are out there and all the work that we had to do. Um ended up leaving the Forest Service. Um, there's a lot of government cuts going on, as many people know last year, and I had the unique opportunity to join Infusion Points. Um, didn't really have much cloud knowledge, uh, but they took a chance on me, so I appreciate it. Um been learning ever since I got here. Um, it's almost been a year, so I joined in June 2025. So time flies when you're having fun, James. Yep, time has flown by. Love it here. Um, have gained a lot of experience and a lot of knowledge. I came in not really knowing much about FedRamp. Um, had to be reminded what an ATO was. So a lot of growth over this past year. So again, grateful to be here and uh happy to be on the podcast.

SPEAKER_02 2:44

Awesome. Well, welcome to both of you. So uh as many of our listeners can can imagine, um, what are we going to be talking about today? I mean, I have two CloudOps members here. I think we're gonna be talking a little bit about vulnerability management, some vulnerability detection and response. So, with that, uh, Ryan, you know, I I guess I want to start with you. You know, um, as we work with our customers in in this vulnerability remediation space, you know, what are some big pillars that our customers have to meet as as they're trying to gain the this compliance? And and in meeting those pillars, what are those challenges that they have to overcome?

SPEAKER_00 3:26

Yeah, great question, Mike. Um, first, we were always refer to the FedRamp guidance as well as the DOD guidance for the continuous monitoring requirements. You may hear us refer to that as conmon. That's the monthly objectives that we have to do. Um, not to be confused with con bon, right?

SPEAKER_02 3:45

That's correct. Which is the project management term.

SPEAKER_00 3:48

Yes, con-mon. Um, part of that is running scans um in these environments, right? And the requirements for the scans are we must run OS level scans on the infrastructure, as well as database scans, container scans, as well as web application scans. And what we do with those scans is we take them, take the vulnerabilities, all the assets that are on, and add them to what's called the plan of actions and milestones, and that's called a POAM. And that's how we refer to it as well. And every month, we're scanning the environments, we're tracking all the vulnerabilities inside the system with each asset, putting it on this POAM, and submitting it to the agencies for review. Part of that is looking at the level of severity of these POAM items and vulnerabilities, right? There's a high, a medium, or moderate, and a low. And they have specific SLAs, and that's very important for our customers to maintain their authorization status. So for a high vulnerability, it must be removed from the system within 30 days. For a moderate vulnerability or medium vulnerability, it must be removed in 90 days. And for a low, they're looking for us to remediate that within 180 days. And so those are some of the key deadlines and timelines that we work with with our customers.

SPEAKER_02 5:04

Right. And and this in failing to do this continuous monitoring properly, it's it's really something that that they can get are the the CSPs hung up pretty, pretty fast, right? Like, you know, they can get a corrective action plan for failing to properly report these vulnerabilities. Um, you know, they they can even lose their ATO for not doing this properly. So, James, like when when you when you hop in these environments, what is you know, what are the first things you look for whenever, hey, you know, it's it's Monday morning, you know, there's there's a new scan set. Like what are some of the first things you're looking for when you hop in there?

SPEAKER_01 5:43

Um usually first thing I'm looking for is any new vulnerabilities that I that I wasn't aware of from from the previous week. Um, especially if it's it's a Monday morning, I know scans are running, uh, I know what time they run. So as soon as they're done, I I'm over there checking to see, especially if it's if it's Microsoft Patch Tuesday, right? Um we know there's gonna be new vulnerabilities there. So I just want to see what's actually impacting the systems. Um you know, looking at inspector, you know, AWS environments, seeing if there's anything new there since it's continuously scanning. We always have new vulnerabilities. Um so keeping a pulse check on that is is vital to ensuring our customers stay ahead of the game, um, don't fall behind the eight ball. And and something pops up, and then you know, all of a sudden they don't have enough time to remediate um in that SLA. And then we're rushing and scrambling to get things patched and uh and get closed out. So that's that's usually what I'm doing, um, mainly every day, especially with the continuous monitoring scans going on.

SPEAKER_02 6:42

Right. And and I think, you know, I'm just gonna reference you know the FedRAMP guidance here. So I'm not I honestly am paying attention. Um so you know, going back to this this FedRAMP guidance that that we speak of, and I really think it's good hygiene for for most CSPs to follow this kind of guidance. I know it's transitioning, we're gonna get into to some of the new guidance uh that they're putting out here later on. However, starting with the with the current guidance or you know, I'm gonna call it the Rev5 guidance, right? Um, you know, one of the big things I know when I did it that I would always look for was that all authentication. And I think that really ends up, you know, hangs up a lot of customers. So what are some best practices on on meeting that authentication that we typically try to uh adhere to? And and how do we achieve this this compliance? Ryan, I guess I can let you go first.

SPEAKER_00 7:37

Yeah, authenticated scans are important, right? Um it's part of showing that we're doing a full scan um of the OS as well as databases. Um we leverage workspaces in our AWS environments. So we use Nessus as one of our scanning tools. And for workspaces, we have a user in our AD uh that we use in our Nessus scanner specifically that has permissions into those workspaces for those authenticated scans. So our Nessus scanner is able to get into the workspaces to scan those fully. We do the same for databases, right? We most of our customers use AWS managed RDS databases. They still provide us a user into that database so that we can add that to our Nessus scanner to provide those authenticated scans. And I think a lot of customers struggle with getting fully authenticated scans.

SPEAKER_02 8:23

Well, I also think that a lot of customers think that because RDS is managed, because Workspaces is managed, hey, they're AWS's stuff, right? Like they they don't, you know, hey, we still have to scan those items. We have to make sure that there's, you know, compliance settings that are that are set the way they need to be, and that we're we're we're patching up what we're responsible to patch up.

SPEAKER_00 8:44

Exactly right. Yep. It'll be us more than that. One of the other things.

SPEAKER_02 8:48

Yeah. Yeah, exactly. Is the database available? One of the other pieces of the guidance is you know, they actually recommend installing an agent to do the scanning. You know, they would rather you have an agent on that endpoint. So then there's really no question whether it authenticated or not, because that scanner is living on that asset. Right.

SPEAKER_00 9:09

Yeah, and it we leverage that, right? On all of our uh AL2023 instances that we leverage inside of Amazon AWS uh environments, we have a SSM agent on there. So Inspector 2 is doing an authenticated scan by leveraging that SSM agent.

SPEAKER_02 9:24

Yeah. And um now I'm gonna open another can of worms, uh, containers. Let's talk about containers, James. So, what are some unique challenges that we run into when we're scanning containers? Uh, you know, because I know a lot of times we're gonna we live in AWS world, but there's also a lot of customers out there and a lot of people that may be listening to this that are gonna use Kubernetes. So, what are some challenges and some advice you give um around scanning those containers?

SPEAKER_01 9:51

Uh I think the biggest thing I run into is is proper tagging. Um, I think that's a a big issue, uh especially when it comes to vulnerability management. If there's if you're you're not having any, if there's no communication um with the team that is deploying these containers, then you really don't know which containers are active and which ones are not active, right? Which ones are actually being used and which ones aren't being used.

SPEAKER_02 10:15

How do you know what you have to report on, right? I mean, exactly.

SPEAKER_01 10:19

So you could be reporting vulnerabilities um on an image that's no longer in use, but you have no idea that it's no longer in use. Um, because say inspector is still showing those vulnerabilities. Um that's a thing I I've seen quite a bit. So proper tagging um and then communication with the with the team that's actually doing vulnerability management and reporting, so they know what's what needs to be patched and and what um is is active in the environment would be would be the biggest thing that I see.

SPEAKER_02 10:50

Yeah, and there are a couple different strategies to scanning containers, right? Um like we I know we use a strategy. I mean, are you guys familiar with the other strategies that that are available? Well, just go into that a little bit, Mike. Yeah, I can dive into that. So that's really the you know FedRAM does allow and and other um governing bodies allow for up upstream scanning of the containers. Uh as long as you're you're ensuring that the hash that you scan is the hash that's deployed in the environment so that you're you're keeping an accurate uh track of those vulnerabilities because we all know there are many challenges with with scanning contain container technologies in in any system, right?

SPEAKER_00 11:33

Um so any other any other con container issues that you see? You might be thinking like, well, why don't we just remove the old images from the environment, right? Like we're not running it. Let's just go ahead and remove them. Well, with FedRamp and with you know these compliance frameworks, we have to keep at least three to five images uh of the previous versions available so for fallback solutions, right? So that prevents it's a good practice anyway, right? It does, it yeah, but you just can't remove those images, like we're not using them, delete them, right? That unfortunately you can't do that in these compliance environments.

SPEAKER_02 12:10

Yeah, and I mean, and I know a lot of the a lot of the uh pieces that we manage from a cloud operations team, you know, we're really scanning that and and maintaining that static environment, the ones that we manage, right? As an MSP. Uh all the all the security infrastructure, all the management infrastructure. Uh it's really that knowing the architecture of of the customer production environment and and being able to communicate that, right? Yeah. James, if you want to elaborate some on that.

SPEAKER_01 12:43

Um, yeah, as far as I I think the biggest a big thing for us is to know the customer environment, right? If I'm if I'm doing Kanmon for a customer, then I need to know their environment inside and out. How data flows in, how data flows out, um, you know, what what services are they using um in AWS, uh you know, what infrastructure they have set up. That's stuff that you need to know. Um, like we always say, you can't protect what you don't know about. And so if you could if they spin up new databases or something of that nature and you you don't know, then you're not scanning. Um, you're not going to scan them. So you there's a blind spot right there.

SPEAKER_02 13:22

Uh well, I mean, and that also brings another uh aspect of this whole continuous monitoring and into the conversation, right? And that's that host discovery to ensure that we we have uh the proper depth and breadth of the environment covered.

SPEAKER_00 13:37

Right. Yeah, I mean, one of the monthly artifacts we have to deliver to the agencies and reviewing bodies is an inventory, right? And that needs to be accurate every month, and they will be double checking what's scanned versus what's on your inventory to ensure you have full coverage. Uh so that's super important to provide and one of the requirements for for every month.

SPEAKER_01 13:58

And that that can be very difficult, especially for these lar large organizations, um, to keep track of that. But it's vital. Again, you can't protect what you don't know about. Um that's something you need to be checking all the time is that asset inventory. Uh you never know if somebody spends up something um and you know that wasn't vetted or or approved, it it happens. You have to you need to know about it. Um an asset inventory is is one of those ways to find it.

SPEAKER_02 14:26

Yeah, absolutely. And that and I think that cross-check is a key thing that a lot of customers that that whenever we first start engaging with them, it's you know, there are some that have that good security hygiene in place already, but then some are like help me understand um why I need to do this because it's not just checking your inventory against your your vulnerability scans, it's it's the other way around too, making sure that everything that you hit with a vulnerability scanner is actually inventoried and supposed to be there, which touches on your point, James. Yes. Um now there's there's another there, I think there's two other kinds of scans that we we we want to dive into a little bit that we touch into. And then I do want to spend some time talking about the new vulnerability detection and response. So I want to talk a little bit about web app scanning, some challenges that we run into there, and I want to talk about compliance scanning. That's always a fun one. But um uh James, why don't you talk a little bit about web application scanning?

SPEAKER_01 15:28

Um, yeah, so web application scanning, uh, we utilize Burp Suite. Um that's one of the most you know really known tools around um that many people utilize. I think um some of the issues I've seen with that is ensuring that you're you're getting an authenticated scan with that. Um I've seen instances where it's burp suite, right? I mean yeah, uh that can be difficult. Um but but again, you can still you can kind of do the you can do the same thing that we do with our Nessa scans whenever you're scanning a database, right? You can create a user just specifically for scanning. Um, and that way you you can get a fully authenticated scan on your web app. Um and again, I've seen it where you're scanning and you think everything's good to go and you're not getting anything back. Say you you don't even get any information back. I think that's a red flag. That's a red flag where you need to go look and see, okay, what kind of status codes am I getting? Am I getting 200s? Am I getting you know three hundreds where it's a redirect, or am I getting four hundreds? Um, am I am I getting errors where it's it's failing to authenticate? I think that's the biggest thing um when it comes to web app scanning is ensuring again it's an authenticated scan. Um that way you know exactly what's what's impacting your web app and and how to fix it.

SPEAKER_02 16:46

Absolutely. Uh any anything else? I mean, I think you covered that pretty well, James.

SPEAKER_01 16:50

I mean, yeah, that's the big that's the biggest issue I see is is ensuring it's authenticated.

SPEAKER_02 16:55

And and honestly, this web app scanning, I'm just gonna jump into Vader now, right? I mean, that that's really the biggie uh coming up and and how um the the customer's front-end application, how are they gonna handle that? Because I mean, this is what's exposed to the internet. If if you have a critical or a KEV in in these scans, you're gonna need to be able to act pretty quickly.

SPEAKER_01 17:20

Yeah. Um it's kind of gone are the days of of waiting 30 days, right? Oh, I have 30 days to to patch. Um no, you're gonna have days to to figure out how to patch. So processes are gonna have to improve. Something's gonna have to change. Um, I correct me if I'm wrong, but I think they want you scanning what every three days? Um if it's internet reachable. Is that what they're pushing?

SPEAKER_00 17:43

For for web applications, like a web app scan, a verb suite scan, yeah, they do want us to run that every three days. And what's important to note with the changes with Vader, when Vader stands for vulnerability detection and response, right? Exactly right. Um but it doesn't have to be scary, right?

SPEAKER_03 18:00

It could be. But it's it's a change.

SPEAKER_00 18:03

And we're seeing FedRAMP change from these monthly scans, right, to more of a continuous scan, um, which can present unique challenges for customers, right? It's no longer just a once-a-month scan, gives you that 3090 or 180, right? It's going to continue us. So, you know, one day you'll have a Vone, the next day you'll have another Vone. And those timelines for remediation are going to be different based off of whether it's internet reachable, like you mentioned, whether it has a known exploit, whether it's, you know, behind us some sort of uh privileges required to access that that box. And I think that's gonna be important because it's it's not based off of the C VSS score anymore, as you know, as heavily as it used to be.

SPEAKER_02 18:45

Well, I think it is initially, right? Right. But I I think one of the key things that FedRAMP has put out is instead of KEV, like don't exploit it, they've really changed it to LEV, which is likelihood that it's exploitable in your environment. Right. And that nuance to me makes all the difference because yes, you're scanning every three days and and they've given the remediation timelines based on your uh accreditation level, right? Like your FedRAMP uh level. And they're not saying you necessarily have to remediate it, but you have to have some kind of mitigations in place to adjust that risk within within those time frames, right? Now, there are timelines that saying it has to be completely out of your environment by, you know, there's a m matrix essentially. So it's not as easily saying 39 to 180. Right. But it really is that movement, as we've seen with 20x, going from the snapshot in time to continuous monitoring. Yeah, truly continuous monitoring. Right. And and uh one of the challenges I see, and and I know you and I are sp well, I think the the three of us have spoken about this pr previous, right? Is if you don't already have good hygiene and practices right now or processes, then it's just gonna compound on you, I think, when this when this continuous and it's not just a snapshot, I'm just gonna make up a date, you know, March uh 27th, and then another one on April 27th, and then another one on May 27th, and everything that happened in the middle, okay, uh it it's gonna turn into that continuous validation.

SPEAKER_00 20:32

Absolutely right. Yeah, the vulnerabilities are gonna be visible at all times, right? Uh for the reporting agencies. It's no longer a once-a-month report, it's it's a continually updated report. And so you're gonna be really exposed if you're not following good hygiene and remediating them with the within the new timelines that are set. Absolutely.

SPEAKER_01 20:53

Yeah, and I think that's why it's vital to ensure that you have a a vulnerability management team, right? A dedicated vulnerability management team to stay on top of this. Um because if you don't, you're gonna fall behind um pretty fast. More than likely you're already behind. Um, so you need dedicated individuals um that understand the vulnerabilities, that have that, you know, that security engineering side as as well as um understanding scanning, right? Understanding how vulnerabilities can be exploited. Um and again, knowing your network is going to be vital as well.

SPEAKER_02 21:29

Um especially for the risk adjustment, right? Like I mean, if you don't know your network, how how can you say whether this is exploitable? Right. Or that's the direction they're going, is you need to know if this thing is a real risk. Because I I think what they were running into on the deviation forms was uh it's it's no big deal. It's they they they can't actually exploit us. It's like, but how do you know? Right. And I think that's what they're really trying to drive to, and I think the reason it looks For automation is because it's a one or a zero. It's a preset thing, you know, box because that's the way computers work, obviously. Right. What ones and zeros. And that's the way we've mapped out going to Vader is, you know, is it internet reachable? No. Okay. Well, now let's go to the next metric. Right. Is it, you know, is it a KEV? So what's the likelihood of exploit in the environments? And just kind of working down the chain. But I I, you know, the the C V S V3 score does still come into effect because I think that's your starting point.

SPEAKER_00 22:31

It is.

SPEAKER_02 22:31

And then it's more that automatic risk adjustment. Keep me honest, guys. I mean, yeah, you guys have read it too. What is your interpretation?

SPEAKER_00 22:37

That's a correct interpretation, right? It starts, it starts on the base score, and then they're expecting you to adjust it, risk adjust it essentially for your environment, right? And then that really sets your true timeline. So it is important to know your environment exactly, resource by resource, what's deployed, you know, all these different factors for risk adjusting. And that's where automation is going to be important because these environments have a large footprint, right? It's going to be near impossible to do it manually, resource by resource, updating those timelines uh appropriately.

SPEAKER_01 23:11

Yeah, I think uh I think another thing that I read in the FedRAMP guidance um is the the prevention over remediation that was in there. Um because it discussed like the simplest way to address internet reachable bones is to intercept, inspect, filter, sanitize, reject, or otherwise deflect triggering payloads. And that's something I I wrote down. Um because again, that puts it what services am I using? You know, what layers of security do I have in place? How does my data flow in and out of the network with those security things in place, you know, such as a WAF or uh ID IDS IPS, um, API gateway, you can go on and on, BPC segmentation, right? Is it still internet reachable? You you know, that's the things you need to know. Um, and that can reduce that. Uh, you can risk adjust it from there to saying, no, well, you know, it'll be stopped by this. You know, I have all you know, defense in depth. You have a layered security approach, and that's going to be vital as well. Um, credit. Know your network.

SPEAKER_02 24:19

Like, and invader is giving you credit for that defense and depth that our customers have in place. And I honestly, I I think it's it's a great move. Like I think it's it's it's forward-leaning. I I think it's not sacrificing security for uh, you know, because there are times, you know, that that that 30 that that hard 30-day timeline for a high. Okay, I I get it. If it's an internet reachable resource that anyone can get in an exploit, that there's not MFA in place, that there's it's not behind, you know, all these other security controls you had, like, like WAF, like um, you know, I don't know, whatever other IDP you you have in between to get into it or knackle, you know, whatever it takes to get to this resource, you're now getting credit for that. And you can take credit for that as long as your logic for how you've risk adjusted it is is sound.

unknown 25:15

Yeah.

SPEAKER_01 25:16

And that's and that's the things that should go in that deviation request if you need to deviate the vulnerability, um, is to show, well, these are these are the things I have in place, and this is why this vulnerability cannot be exploited. Um, those are the things they're looking for in those deviation requests. Um not a not a fabricated statement, but you know, this is this is how you get into my network.

SPEAKER_00 25:40

And to your point, Ryan. Yeah, I mean, to your point, I think this is more or less uh an improvement, right? This is giving, you know, companies and and and customers that are actually secure, it gives them more, you know, resilience to it, right? And it gives them different timelines. Um, so it's it's really showing, hey, we're secure, you know, we're not as susceptible to these vulnerabilities as maybe other people could be, which is great.

SPEAKER_02 26:07

But but I am going to caveat it, right? Because I I think I think most have probably heard us kind of leaning down this path of, yes, we're gonna give you credit for it, but you have to know those security layers that you have in place. You have to know your network. You can't just blanket say, Right, hey, this is a risk-adjusted thing because I don't haven't had time to fix it. It's uh are these legit items in place that we have automated mechanisms to ensure that that defense in depth is in place.

SPEAKER_00 26:41

Right. Yeah, it does come with some validation, right? Right.

SPEAKER_02 26:45

Which which is what which is the way 20x is headed. I think it makes sense. Uh when I say headed, uh, which is where where they're at.

SPEAKER_00 26:53

Right, right. Um that's where FedRAM Rev5 is headed, right? It's kind of following and lockstep with with 20x.

SPEAKER_02 27:03

And it's getting it's getting those those customers uh moving towards that 20x path and and ready to to ingest things.

SPEAKER_04 27:12

Yeah, absolutely.

SPEAKER_02 27:14

So all right. So anyone, you want to have anything else, any other advice we want to give anyone who's thinking about doing FedRAMP?

SPEAKER_00 27:24

Uh I think one thing we didn't mention, right? We mentioned all these different security tools that we leverage for scanning, but an important thing also is that you keep those tools updated, right? Every time you're running the scans, it's got to be on the latest version, or you're gonna get you're gonna get dinged by your 3PAO in your audit. Oh, you're running an older outdated version, your plugins aren't updated. It's gonna it's gonna be problems for you.

SPEAKER_02 27:47

And and to me, it's deeper than that, right? Like it's not just a ding by your 3PO. It's like, are you serious about security or not? Right. Right? If you're serious about security, you're updating the six, you know, what vulnerabilities it's it's trying to find.

SPEAKER_00 28:02

Yeah, absolutely. You know, need to have the latest and greatest from the security tools to be able to do a proper scan of the environment.

SPEAKER_02 28:10

And and then I'm gonna I'm gonna pivot it back over to James because James does this so well on our CloudOps team is is that communication with the with the customers, right? You know, what are the what are the key things that you were telling me yesterday about that, James?

SPEAKER_01 28:25

Just knowing, you know, knowing the the customer's app, right? Which which updates might break that app, which updates need to go through that process of uh being tested, thoroughly tested. You need to give the the customer enough time, ample amount of time. So that's something you need to know. You need to know the customer's application. Say Java, for example. Well, Java's gonna cause issues. Well, as soon as I see a Java vulnerability, I know I know the customer's application. So I will put that on their radar immediately so that they can begin testing and get through that process and we can get it patched under SLA, and that's a big deal.

SPEAKER_02 29:01

Because well, because they have to go through a whole CI CD pipeline, right? I mean, it's not just uh, you know, I say we, you know, hey, I gotta patch the Nessa scanner, you know. I don't up to yum run yum update.

SPEAKER_03 29:16

Yeah, yeah.

SPEAKER_02 29:17

Um but when they're having to patch their application, communication is key, right? Like I think the security team needs to be in keep regular communication with the engineering team so they know one of the other things that I've seen as a challenge, and you guys correct me if I'm wrong, is it it almost makes puts you behind the eight ball when you're not scanning upstream in your pipeline with the same tool that you're scanning in production, right?

SPEAKER_01 29:47

Yes, because again, we the the scanners have different engines, right? So they're gonna report the vulnerability differently, or they're not gonna report it at all.

unknown 29:55

Right.

SPEAKER_01 29:55

Um, might be different scores, different, different plugins. You know, it it really depends, depends on the day and what scanner you're using. So, yes, you need to be using the same scanning tool in test as you're using in prod. Yeah. Um, that's that's vital.

SPEAKER_00 30:12

Yeah, and to your point, James, communication is key, right? For these customers that have images that they have to rebuild every month because there's high vulnerabilities in them. Giving them the most amount of time possible is is is valuable to them.

SPEAKER_04 30:26

Excellent. All right. You guys have anything else? You have any big plans this weekend?

SPEAKER_02 30:36

Nothing good.

SPEAKER_01 30:36

It's my son's second birthday, so I will be uh birthday, James's son. Yes, I will be uh I will be celebrating that on Saturday. I think we're going to the zoo, so that's what I got going on.

SPEAKER_02 30:49

Well fantastic. That'll be great. Well, all right, guys. Well, thanks for joining us for another episode of Behind the Shield. We'll see you next time.

SPEAKER_00 30:58

Be sure to like and subscribe.

SPEAKER_04 30:59

Yeah. Like and subscribe.