FedRAMP 20x and the Future of Compliance with Gary Guercio

Show Notes

In this episode of Behind the Shield, we sit down with Gary Guercio, VP of Operations at Fortreum, for a deep dive into the evolution of cybersecurity auditing and what FedRAMP 20x signals for the future of federal cloud security. From the early days of manual audits filled with printed artifacts, screenshots, and physical binders, to today’s push toward automation, APIs, and machine-readable evidence, Gary shares a firsthand perspective on how dramatically the landscape has changed.

Together, we explore how the industry is shifting away from point-in-time assessments toward continuous validation, and what that really means for Cloud Service Providers, assessors, and agencies. This conversation goes beyond theory and gets into the practical realities: how auditors will need to understand code, how engineering and compliance are becoming tightly integrated, and why organizations must rethink how they build, manage, and prove security from the ground up.

We also discuss the broader impact of FedRAMP 20x on the market, including how transparency, competition, and automation could reshape how security is measured and trusted across the ecosystem. Whether you're just starting your FedRAMP journey or actively navigating 20x, this episode offers valuable insight into where things are going and how to stay ahead.

Chapters:
9:08 Introduction and Guest Intro
9:20 Career Path and Education
10:42 Early Career in Cybersecurity
13:36 Auditing and IT Controls
15:37 Booz Allen and Government Projects
20:39 FedRAMP and Fortreum
25:17 FedRAMP 20x and Automation in Auditing
59:26 The Future of Auditing and AI

What You’ll Learn:
• How cybersecurity auditing has evolved over the last 25+ years
• The biggest differences between traditional audits and FedRAMP 20x
• Why automation and machine-readable evidence are changing everything
• How the role of assessors is shifting toward code and engineering understanding
• What continuous validation actually looks like in practice
• The challenges CSPs will face when adopting 20x
• How competition in the marketplace could drive stronger security outcomes
• Where AI and automation are headed in the auditing space
• Why FedRAMP 20x is about more than compliance, it’s about changing the system

Guest Links:
Gary Guercio- https://www.linkedin.com/in/gary-guercio-48622b5b/
Fortreum- https://fortreum.com

InfusionPoints Links: 
Gary Daemer- https://www.linkedin.com/in/infusionpoints/
InfusionPoints- https://www.linkedin.com/company/infusionpoints/
20x Webinar Series | Session 1- https://youtu.be/EoaXjGa-vl0?si=UmnDCXY4dhTKpC6L
20x Webinar Series | Session 2 Registration- https://xbu40.com/20x-cohort/april-28-26

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.

Transcript

SPEAKER_03 0:09

Welcome to another episode of Behind the Shield. Today I have uh as a guest uh Gary, you want to go ahead and introduce who you are and what you're about?

SPEAKER_00 0:17

Sure. Gary Gershio, I'm the VP of operations at Fortrium.

SPEAKER_03 0:21

Cool, cool. So tell me, you know, how does somebody become the VP of operations at a at a nice, you know, uh 3PO auditing type company? Uh talk about your history and how you got here, the education that you had to go through, and um, you know, what all, you know, you know, from a philosophy perspective, kind of landed you where you're at.

SPEAKER_00 0:44

So yeah, it's an interesting road. I don't think I ended up or I started where I thought I was going to. Uh I went to Virginia Tech um for my undergrad Go Hokies, uh, and I I got my degree in management science and information technology, computer-based decision support systems, which I believe was the longest name of a major at the time. They've now changed it to like business information technology. But there you go. You know, what we were supposed to be back in 1997, it was, you know, those interpreters between individuals who understood business but didn't really understand how to take those business problems and develop applications. So I thought I was going to come out of school and work for like a Price Waterhouse consulting or, you know, uh Anderson consulting at the time, which was actually Arthur Anderson, but uh uh and I actually I was hired out of out of uh Virginia Tech to work at Price Waterhouse Consulting, but the Arthur Anderson Enron issue happened. And then you saw all these huge companies start to break up and essentially they released all their employees out of school um before they even started them. So wow. I kind of fell into cybersecurity. Uh I went back to college for a semester and started my master's degree and got a job with uh a company called ErbachCon and Worlin. And they were based out of DC and they did a lot of CFO Act audits, uh, FISCAM. Essentially applied to FISCAM, um, which is oh god, the federal information systems control and audit manual uh created by the GAO. Very similar to NIST 853. It's just was GAO's version. And we uh so I started doing audits, right? And that was never if you would ask me when I came out of high school or through college if I was going to end up doing IT audits, wouldn't even know what they were. Right, right. So so I started doing audits, and it's interesting because uh, you know, our conversation will get into kind of where we are today. But man, when you look back at what I was doing 25 years ago, uh we would go on site to do interviews, we'd have to get printouts of all the artifacts. Um, scanning tools weren't even really something that was being used at the time at all. I mean, you're talking about looking at some mainframes like Rack F and you're talking about what NT systems at the time, and you're going through, and much like today, you're looking at what's on screen, but they're taking screenshots, they're printing them out as you go. There's a printer in the interview room. Uh, your policies are all printed out. You and you'd have to go back and you'd you'd create these binders. And I I I've been I was telling some of our analysts, I was like, man, you guys have it so good. Like my Fridays were putting binders of artifacts together and taking a little colored pencil and putting on the, it was called the uh the letter method, and you would have to put it to and from, and you'd have like these every piece of paper had to have a unique number, and then you'd build these binders, and then you'd have summaries by like the equivalent of control families, and you'd have it tie back into with summaries by control, and then you'd have it tie into lists of findings, and then you'd have a final report, and it all had to tie back so you could find that original artifact. And I'm like, So wow, look what we're doing here.

SPEAKER_03 3:55

Requirements traceability, right? Almost requirements traceability perspectives. Okay, yeah, I remember those days.

SPEAKER_00 4:02

Yeah, and we had this big library in our office, and we would just go put these like I mean, every audit six months, we'd have these huge binders, we'd have a library of binders, and then by the time you're done, you're starting to plan for the next one on the same system. Like, and until I was thinking to myself, I was like, when do they have a chance to fix anything? Right, because they're always an audit, right? Right. So I I I stuck around there for a year, learned a lot, um, went to the GNET corporation. So, because of Arthur Anderson and Enron, uh, you know, um, Sarbanes Oxley came out. Oh, yeah. And that 404 compliance rule, which I ended up being one of their first IT auditors at Gannette. And you know, we were specifically looking at IT controlled or something. Internal or external? Well, you an internal auditor. I was the internal auditor.

SPEAKER_03 4:49

Okay.

SPEAKER_00 4:50

I was an internal auditor, one of their first internal auditors. Uh PWC was our external auditor at the time. Learned a ton there. I traveled the world for like two years to all their different, because they were all distributed. The idea of a cloud and you know, doing things in the cloud and doing things local just wasn't there. Everybody had, you know, distributed networks. I mean, we had data centers, but they weren't. We were starting to move into things, but every newspaper site had their own little system and they ran their own, you know, they servers under the desk, servers in the closets.

SPEAKER_03 5:22

Oh, yeah.

SPEAKER_00 5:22

Yeah. Their own application.

SPEAKER_03 5:24

I actually just did uh I did a short video on this just the other day.

SPEAKER_00 5:27

Yeah. They're old collection, so you'd have to go do most of the revenue. Um lived always lived in the DC area, so wanted to get into the government side of things. I went to Bering Point after I worked in Gannett. And Bering Point was so when KPMG had to break off their consulting wing, their consulting wing became Bering Point, um, which is now Deloitte Consulting because Deloitte bought Bering Point.

SPEAKER_01 5:51

Right.

SPEAKER_00 5:51

Um from and Bering Point, it was interesting because they were going through a lot of internal audit issues. So I got pulled internally and actually built an application to help track kind of all of their financials internally for their internal audit. Um worksome and intelligence.

SPEAKER_03 6:07

Still staying staying from that internal perspective, like internal QA, internal, and internal audit.

SPEAKER_00 6:12

Yes. Okay. But I learned a lot about financial management and kind of, you know, especially at the project level. So, you know, you think about how I evolved to a CO or a VP of operations. You have to understand kind of the tech, what are we doing from a delivery standpoint, but you have to understand that financial side of it. And I, you know, building a system that had to track financials for internal audit kind of changed my trajectory a little bit. Um, I always wanted to get back into IT audit at that point, but I was quickly able to manage projects when I went back out to the field as opposed to doing internal audit. So Bering Point moved me into the Intel space, and I was a uh PeopleSoft developer for a while, uh, doing something a little different. Um, but then I really wanted to get into assessments. So I had a friend that worked at Booze Allen. That friend at Booze Allen Hamilton brought me over to Booze Allen and I started off doing, I guess, advisory work for the IRS. And we were building their SSPs very much like we do on the FedRAM side of the house today. Go interview people, we understand what they're doing, we build out those implementation statements, build these you know SSPs, and we prep it all for another organization to come in and and do the the you know the NIST God 853 Rev1 assessment, maybe at that point. I don't want to date myself too much, maybe Rev2.

SPEAKER_03 7:34

Well, seeing how Booz Allen helped write a lot of those uh those standards in the beginning, you know, so correct. And as you know, I spent quite a few years there at Booz Allen as well. And I think we actually worked in the same or amongst the same teams um you know back back in the day as well. Uh I spent quite a few years there leveraging, you know, folks like yourself, you know, who were doing the auditing side, the FISMA audits, and and helping us with the documentation side um as well. Yeah, we we mainly focused on the security engineering pieces of it, but that's really what we focused on was that that engineering aspect. But with you guys helping with the um the kind of interpretation uh of what the requirements actually meant um helped us tremendously.

SPEAKER_00 8:21

So I mean it was great at uh booze gives you a lot of opportunity to move around. So I think one of my most memorable projects and really ties in a lot with you know where we're going with 20x is uh I I I supported uh George Moore and um John Stroifert when they were at Department of State. Uh we we as Booze Allen were doing their overall kind of State Department FISMA assessments, but at the same time there was a parallel project. How could we automate things? And what they were trying to do was lead the way inside of government for FSMA. Like, how can we, you know, if we can run, because we're running scans at this time. It's not like I I remember introducing uh Microsoft, Microsoft's baseline analyzer to run vulnerability scans one time. And I you would have thought I would have, I was, I was trying to hang somebody or something. I like the amount of I had to get go to a CFO to get permission to run it to just see if they're doing the basics. Um but at this point, you had tools out there that were able to enumerate systems and be able to use privileges and pull data back. And they, you know, it was kind of that idea of like, well, if we can do this and do it at scale and more often, you know, could we create a system? So they created something called iPost, and they were looking at unique ways to pull information forward on a more continuous basis. Now it's not where the cloud is today, and I think what we ran into we started to look at 853 from an objective standpoint. So maybe not an outcome standpoint, but what every control has an objective. And we came into there were 15 core objectives. And if we could figure out a way to pull data from the system in near real time, and we could come up with risk scores. And those risk scores, and very simple green, yellow, red, right? Green system is just once it's authorized that first time, it continuously authorized. Hits yellow. Well, maybe something happened. Like, was there an SCR? Was there something pushed that you know took that desired state versus actual state and took it out of um, and then read like what happened? And that and that would be when you'd engage someone to come in and do more of a root cause analysis to figure out okay, where down in my control setup and my reporting setup is the problem happening, right? And and and it the way we would do audits at State Department is you would take if a if a system was fully on board, we take like a I I'm gonna say the word, and I know at least Ethan on my team is gonna yell at me. We took a screenshot of the iPost um dashboard for the day. Right. And at the time it was covering vulnerability scans, software inventory, hardware inventory, if it was fully engaged on that system. Uh and we were starting to do some compliance scans, and we were able to take those screenshots, put them into our package, and then test the rest. So you were already starting to see efficiency and quickness in testing. So, but we had some limitations because the way the systems were built then versus now in the cloud, a lot of those next tier of controls, auditing, um, identity management, you know, there weren't the APIs or the command line. Like it just wasn't there yet to be able to do that. The richness of that, of that accessibility was just agreed. Yep. Right. And so um was at Booze Allen up until uh, as you know, Michael Carter, one of the uh one of my boss now and founder of Fortune, he was at Veris Group. Uh he brought me over as the first hire to help build out the FedRamp program at Veris Group. So Veris Group was, as you probably know, was the number one provider until Coalfire uh purchased Veris Group. Uh I was at Coalfire for quite a few years. So Varis Coalfire was probably there eight years, something like that. Oh, okay. Um and then I decided uh, you know, to to go my own path for a while was a 1099. Uh and then Michael and James, as they were starting Fortram, had asked me to come on board and you know, essentially run delivery. Um at the time, I think we were like maybe a team of seven. Uh, we're about 130 now. So uh we've had quite the growth. But uh I kind of fell into the operations role. Just it kind of I think my experience across you know, audit and what our core capabilities were, my interest in always trying to continue to learn new things, and then some of the background and financials, and uh it just made for a good match. Right. Um and you know, I've worked with Michael now about 13 years. He was actually a subcontractor for me at Booz Allen. Oh wow, okay. So Varys used to subcontract to Boo's Allen doing some of the IRS work. So so that's how we interacted, and he brought me over. So it's been an interesting ride, but um, you know, philosophically, you you know, you hire good people, you enable those individuals to kind of experiment and figure out how to do things better. And, you know, the company flourishes in in that case, and you can continue, you continue to improve on a daily basis. Right, right.

SPEAKER_03 13:30

So yeah, interesting, interesting uh uh background. And I and I think in some ways, you know, our our careers do overlap. I know they overlapped when we were when we were both at Booz Allen because I was there at the same time uh you were there for a while. And then, you know, really what we did is we took it from a different perspective. Um, I'm an engineer. Um you know uh I a master's is actually in systems engineering, and I I got it from Virginia Tech, but I'm one of those guys who I've never been on the Virginia Tech campus. Um kind of weird, isn't it? So I uh I went to the Northern Virginia campus um in um right outside of uh I think it's outside Falls Church, right? Falls Church, yeah, yeah, yeah. There you go. Uh right outside of Falls Church. It was awesome because uh I worked in um in Falls Church, and when I drove home because I lived in Manassas, I would drive past that um campus every single day, and I would stop and do one day a week, I would do a uh my master's degree. It took me about six years to get it done, but you know, I it it it was really neat and interesting, you know, to go on and get your master's degree, but having it right there uh it made it pretty accessible uh as well. So but we really we to we took this from a systems engineering perspective and looking at the requirements, and what we what we came up with was themes. We called themes. And those same themes, you know, what do I have to put in place to satisfy all of these controls and then to be able to have the outcomes that that you desire? You know, and what we found is about the same thing, about 15 different themes that um, you know, if if I put this tool in and I integrated it this way, that it would enable me to meet these 32 requirements. Um if I develop this one procedure, it'll it'll hit these four things uh inside uh of the customer's environment. That's kind of how we've always approached it, is what can we do from an engineering perspective, you know, to be able to develop as few uh um outside tools as possible and to leverage as much cloud native now, right, as possible in order to meet all of those uh those those themes at that at the time. Now it's the the key security indicators. And you know, so that's why we've been able to really translate what we have done into you know 20x uh uh uh pretty rapidly. Now I know your teams, since since you've been you know um uh working on the operation side for a while, you audit a lot of the systems that we build. Um, you know, so help help me understand like some of the differences, say, between some of these high IL5 environments, the DOD IL5 environments versus where 20X is going. I would rather you spend more time on the 20x side and maybe a little bit of time on the IL5 side.

SPEAKER_00 16:18

So I think from an assessor standpoint, you're looking at it from a completely different lens. You're no longer, we're no longer required to essentially look at the controls and assess a risk against it. Um you know, in Rev5, it is very much the, you know, read your documentation, interview, show me on the screen, let me take a screenshot. Uh maybe you'll do a sample, but you're not sampling. I mean, bigger environments, you just there's just not enough time, right? So you have to do some kind of sampling to get some confidence that the control is consistently um deployed across. And then you write up your report based on risks, high, medium, low, which there's no good science behind it, right? Like it's um and then you take the 20x approach and you are no longer you do care obviously about the risk of the system, but the obvious the the big thing is understanding the process and the pipeline that you are that the CSP or or the audit target is is taking. So, you know, what is the environment look like? What are all the resources that I care about from my you know minimum scope? Um how are you pulling that data? Are you is it infrastructure as code? Is it um some some kind of Python script that's pulling it? And you know, I was told this the other day, I think Robert Gill said it on it like it's turned into interviewing code and evaluating whether that code is covering everything. And at the end, are are we satisfied that you've covered your environment and you're pulling all your information back correctly? You're not you're aggregating it, and then your final response, we can put our assertion on that whether it's true or false or pass or fail, it's accurate. And it's it's changed, you know, kind of the nature of what an auditor is going to have to know. The assessor is gonna have to understand code. They're gonna have to understand some basic, you know. You didn't have to be a coder to be an assessor before. I always told, you know, new assessors coming into like the Rev5 environment is like it's our job to be experts on the objective of the control. There's so many technologies out there. Like, yes, you want to understand technology, but you're not gonna understand the ins and outs of every technology. You can't. There's no way. Right too much. But if you can articulate yourself from what the goal is and you understand that it doesn't need to be binary, this is where a lot of assessors, I think, get themselves in trouble. There's never black and white, there's a huge gray area. Exactly. There's a huge gray area. Are we achieving, even if it's an alternative method, the uh ultimate objective to secure the system at a reasonable risk? So so now you're we're gonna look at auditors and we're gonna start cross-training to understand code. Uh, we're probably gonna look at some code analyzing tools to to help us understand what's what is we're doing when we're looking at some of these you know, Python scripts and you know, information is code. And how do you do it at volume?

SPEAKER_03 19:20

Right. Well, I I think the key though, there's uh is what you said initially, and I don't think this part changes. What's the objective of that control? Right. So how do I know what enough is, right? And I think that's always been a struggle uh with doing any of this stuff. Or do I interpret you know, somebody's recommendation or guidance that was slipped under the table, you know, in the middle of a meeting somewhere that says you should follow this stuff as well, um, and and not being as transparent. That's one of the things I really do like about where Febraph 20X is going. It's very transparent. And um, I I see your people say, ah, well, you know, you were you were early in and you're getting all the inside information. I'm gonna tell you what, we were in from day one, and I don't get any inside information. No, about you guys, you know.

SPEAKER_00 20:05

No, I mean the PMO has been pretty very good about they don't have special meetings with us as the 3D AO. They don't have even for the that first cohort of pilots, like I mean, we had the same, you know, what two engagement meetings maybe up front on what they were expecting. Um, and it wasn't any inside baseball, it was very much, and I, you know, we heard the same thing in both the meetings. So, I mean, it was and all of it was then like published pretty out there because Pete has been the PMO has been very good about being transparent. I remember I I talked at the CSP A B November, and I think that was one of the things I thought was amaz one of the big differences I've seen maybe from previous PMOs is there were so many unspoken roles that's and interpretations that would hold up a package. Like we would assess, you know, the old-fashioned way a package it would get through this time, but then it hit a different reviewer and it would same exact thing and totally, totally different, totally different response, right? And now it's and Pete's like, well, is it in writing?

unknown 21:11

Right.

SPEAKER_00 21:11

Well, if it's not in writing, why are you looking at it? And I that's that's the way it should be, right? Like it should, right? You know, you set your baseline, you evaluate against the baseline. Right.

SPEAKER_03 21:21

I I I think that is what really drove us to 20x and really to kind of go almost all in. Yeah, we've got a good portion of our engineers that that's all they're focused on is developing solutions for for 20x. Um, and and I I believe that it's gonna revolutionize not only the FedRAM space, but I think it's gonna take and go further further than that. And people are gonna start trusting the automations. I mean, people in the financial world have been trusting automations for years, right? So why can't auditors start to trust uh that information as well? And but I always like to say it's not always the auditor, sometimes it's It's the um accrediting body of the auditor that says this is how you should this is how you have to go about doing that. You know, so it'd be cool to kind of hear from you guys. You guys have lots of accreditations, you know, and and what are the limitations that you see or or or feel, you know, maybe from an accreditation standpoint in some of your uh certification um certified, you know.

SPEAKER_00 22:25

I think all of this is behavioral change. Um because it it's the old guard, people get so associated with what they've done and they feel like that's kind of who they are from a work perspective. When you start to challenge your approach, and I look, I I've been doing audits the old-fashioned way for a long time. But when I mean, luckily I got that exposure to CDM and that thought process. And now with this new 20x thought process, it was like, man, well, cloud actually has a lot of capabilities to do this, where old the old weight, you like you just couldn't do it, and you couldn't do it at scale, but we have to now because of the volume of new services, new products out there. If we want to stay competitive with, you know, from a federal government standpoint, you want to stay competitive with your, you know, rival governments, like you know, and how you make sure you do that. But I I think the big thing will be is how do you train individuals in these roles to understand that hey, we're not sampling anymore.

unknown 23:29

Right.

SPEAKER_00 23:30

We're giving you a hundred percent view into what this system looks at. Now, you could argue back and forth are the KSIs covering everything that they used to cover? And but that's a different argument. It's not that you use automation. Um, because I think automation, I mean, now with the advancement of AI, like I I think in five years you're gonna see you know self-correcting systems.

SPEAKER_03 23:53

So and you know, you can do that. You can do that today, but it's it's more rule-based, if that makes sense. If this then that, uh, because we have some remediations that we have built in automatically, uh, firewall rules, that kind of stuff that we have uh that that are put in automatically. Um but it it it you know the automation piece to me is a uh is a sea change um in the way that systems need to be developed. Um I know we're we're we we are looking at a lot of people talking about the government uh uh governance, risk, and compliance engineering perspective. And I would go back to what I learned back in the 90s, right, that says this is all part of systems engineering. Governance, risk, and compliance is part of systems engineering. So if you're looking at the entire system all at one time, you know, that that element of government's government, I can't even say the right words, governance, risk, and compliance uh is also a part of that. So if you're taking it and really trying to engineer that piece, uh that's the piece I think is going to have to change uh um a bit for people who are do used to doing it the traditional method, and not just from an auditing perspective, and not even just from a developer's perspective, or not even from a compliance perspective, but take a look at those requirements and how can I engineer them to be better? How can I engineer them to be able to prove what we're doing as well? I think that's gonna be key moving forward. Not only do I do what I what I'm supposed to do, whatever that is, right, but I also generate in the proof of what I'm what I what I need to do on a you know near real-time basis. And then you're reporting out to some dashboard that says, hey, he is constantly proving, you know, that he is doing what what they're supposed to do, the system is doing what it's supposed to be doing.

SPEAKER_00 25:36

You know, I think that purposeful shift left in your development cycle to actually include, you know, call him a GRC engineer, but somebody who understands the GRC objectives but has the engineering background as well, and you move that left in the process, and you all you know, you'll start to see these things come out naturally. And and it's all for better hygiene and better security anyway, because if you're building it into like I I feel like at least initially when FedRAMP kicked off, everybody was trying to tack it on. And then you found everybody was having to build the new systems, right? They would have to build their FedRamp specifically. In order to meet the requirements, right? Right. Because they weren't thinking about these things when they were developing the commercial product. And let's face it, some of the similar requirements probably make it harder to sell to commercial customers. I remember having this conversation. I had asked a uh one of our customers one time, I was like, Well, why why are you building a completely different environment? It had to do with like the HTTP standards at the time. Like a lot of commercial companies.

SPEAKER_03 26:38

Encryption, encryption is a big one at that level.

SPEAKER_00 26:40

And yes, the FIPS 140-2 encryption requirements. Um you couldn't sell that to commercial because commercial couldn't digest it at the time. Um so they had to build the systems, or else you know there'd be issues. Um, I am curious how that's a problem and work itself out, or if it's even still an issue as 20x moves forward, because I know the one of the big goals is how do you get those commercial products, those commercial services to the federal marketplace faster. And I I think from a kind of a unique thinking, and I I I would have never thought about this. So PMO is a little bit, you know, they don't it it's almost like they're not setting the baseline right now, they're not setting a certain amount of parameters. I mean, there's gonna be like, hey, these are the 61 KSIs, and but you tell me what you're doing, and then if you're telling me you're doing it correctly, you you validate it that you know, I'm doing X, X is true, even if X isn't necessarily what we thought about back in Rev 5, it gives the marketplace then a chance to look at it. And you know, maybe it's you know, every agency might have a different rest risk threshold based on what data they're you know, they're worried about. And maybe a product that doesn't meet 323 controls with however many parameters that are dictated is good enough because it provide like the risk is so low to that data and it gives the marketplace a chance to make those decisions. And I think you'll also see where competitors implement more controls or more security, or you know, do that extra pen test or do that extra red team, or you know, you'll see them have a competitive advantage, you know, when systems are alike. And I think you'll start seeing competition to force more security KSIs, or maybe they'll, you know, tougher MFA or better, you know, uh configuration protections. Like so I I actually think once it starts working, you might actually see a marketplace that's competing against each other to have a more secure solution, you know, when when compared with the solutions that do the same things.

SPEAKER_03 28:50

And you know, if you think about it, I mean, if you look at like, say, World War II as an example, right? All the factories that were building things, you know, they were in competition with each other to figure out how to build the best widget, whatever that widget was. Right. So whoever, whoever was ultimately built the best widget then got the bigger contract to build all of the widgets, right? So that's kind of where we are going to be, I think, in the same in the same space. So with competition, you know, with the different vendors, um providing a different AI tool or a different way to do time management or financial management or planning for logistics, you know, moving sick patients from one hospital to another hospital, you know, they can figure out better ways to do that and generate some more competition to get there, then I think that'll help the overall market. It'll help us as taxpayers as well, right? Because that'll hopefully drive the price down. We'll get a better, a better solution and uh and a secure solution at the same time. But ultimately you'll have three vendors or four vendors or five vendors who think, wow, this is a really cool thing. Let me go ahead and get it out there. But I can't, oh man, I can't do it because of FedRamp. That hurdle's just way too high. It's gonna cost me three million dollars just to do that. Yeah. You know, and and and now still one of the things I want to make sure I continue to express is in this field, there's still gonna be cost and it's still gonna be hard because a lot of a lot of the a lot of things that people aren't doing, you know, from a compliance perspective, they should be doing the fundamentals, the basics. You know, we do a lot of work with lots of different companies and we find various degrees of security maturity. In a lot of cases, we don't find as you know mature organizations out there. So we have to do better vulnerability management. We have to make sure that they have a sim and a SOC in place, an operations team who actually understands what threats look like. You know, either, by the way, when the shit does hit the fan, what are you gonna do about it, right? From an incident response perspective. So you really you still need those people involved in your design, your build, uh, your management, and then how you actually defend it, you know, uh in in the long run. So there's still gonna be those pieces. And I think that's where it's it's gonna enable these companies that see that as an advantage and not a hindrance, but that also has to be um integrated well and it has to be easier to digest. Still gonna be hard, but security is not easy. It's just it's just not easy. I don't care what anybody says. Yeah. Well, it's not gonna be totally uh too, it's not gonna be so easy that it you know, you can turn it over in a day as well. So right.

SPEAKER_00 31:34

And I I think it's a great point to to reiterate is it's not going to be easy. Like this is still going to be hard. You have to engineer it in um from an assessor, you have to understand the objectives. You still you have to build it in to be, you know, maybe make updates over time so that you can be competitive if you, hey, maybe you get to market quick because you've got some kind of minimum baseline, but your competitors are doing something a little more complicated. How do you not have to re-engineer everything and go back? So you build it again purposefully so that you know it's I might have to make these changes in the future. And say, and you know, it starts at the CSPs, building that in, understanding it, you know, from an assessment standpoint. I don't think these will be as easy. Um, in some cases, I know like like XBU40, like if someone's built on top of you, we can leverage some of that for efficiency. But if we're bringing like someone just straight in, I I don't know how much code they might have. I mean, right, I you know, that we would have to review. We have to understand, you know, we do still have to understand, you know, hey, what's your boundary? Like, what do you have out there? Um, and then explain the process you're trying to do, and then we have to go look at the code and is it doing what you described to us as doing? And is it capturing everything? And that's not gonna be simple either. Um, no. So I mean I still think it's um your timelines might be able to be condensed versus what it was before, especially uh you know, if you're building these in from the beginning. Um but honestly, like I I I was always curious because I always felt the two biggest problems outside of the traditional way was um getting the sponsor. Yes always, you know, getting a sponsor to get on the marketplace was always a hold up. And then, you know, kind of that we called it the four Pao review, when you did get to that PMO and you could be in a nine month to a year cycle, but you've already got the okay from like the three pao looked at it. And I I think those like when you hear about it.

SPEAKER_03 33:37

The agency is also giving in the agency as well, right?

SPEAKER_00 33:39

So especially when you talk about you know DOD, like you know, some of their backlogs were got pretty have gotten pretty big. So, you know, you have these solutions, and we have one right now. I think it's going on like nine or ten months. We did the assessment, and it's just waiting in the cube. Like, do we do the annual assessment? Right. Do we do you wait till you're authorized and get a date? Like, and you run into those problems, and you know, and they haven't brought one customer in yet, right? And they haven't brought a customer in one yet yet. Right. So I if anything, 20x and the I'm assuming he's keeping it sponsor the the goal is to keep it sponsorless.

SPEAKER_03 34:15

I think that's what the um uh at least the the A level for sure is, right? Yes. Um uh I know in the beginning he talked about um you know giving people a year. Um I do remember him saying, yeah, but I'm not sure I haven't heard that in a while, so I'm not sure if he's still talking that way.

SPEAKER_00 34:32

With the change to certification instead of authorized, you know, changing the terminology, you know, you are FedRamp certified, puts you on the marketplace, and then you have the right to go market your your product. And then I don't maybe this is an opportunity for those smaller cloud native mom and pop shop, you know, SaaSes that have this really cool solution, but they're like a 10-person company. You know, bring it in. And who knows? Maybe there's who knows what agency you get that first agency to sign on, and then you have revenue coming in. Now you have a better case if some agency, hey, I want to see this a little. Because that's what I hear a lot too is well, if we do this, well, we have to do it the other way too. I was like, well, do you have another option if you want to play in the government space? This will provide an avenue to get you on the marketplace and give you a right to go sell. And then if you if you can sell it to one, you have revenue coming in, and then you start getting interest from other places, well, now all of a sudden you have that business justification to go if you have to do something else. Now, we'll see. Again, this comes a lot to like do you want to play in the Department of War or do you not? Because right now it looks like they're going like this. Yeah. Um and then you have you know this CMMC and the FedRamp uh equivalency thing.

SPEAKER_03 35:53

Um just not go there today.

SPEAKER_00 35:56

I don't know. I don't I don't know what how 20X is going to impact either of those things. I I know the PMO at had I think it was one of the last calls. It was something I think they were going to take up with DOD. I don't know where that is, and I haven't heard anything else. But but we get a lot of questions from CSPs not knowing which what to do right now. And that's you know, we start walking through some of these questions like, well, do you have a sponsor anywhere? Right. Do you just want to get into the government marketplace? Um, do you have aspirations or do you think your solution is very more directed towards like the Department of War? Or is it you know something very much better?

SPEAKER_03 36:37

We are having entirely different conversations than we've ever had before.

SPEAKER_00 36:40

Right.

SPEAKER_03 36:41

Right. Um with companies that I didn't think we would ever ever even entertain talking to. Um, because you know, here again, that people got to make a commitment in order to do this, because it is, it is, it is, it is hard. 20x is a little bit easier, but it's still gonna be hard. So it's still gonna take a commitment, but I don't think it's as large of a commitment as it was previously. And what we've been able to do with our customers is we've been able to walk them through a path of of, okay, if this happens, then then then do then we have this path. Because you know, we what we the beauty of what we've done is we've designed our system to meet Rev5, you know, FedRamp High, IL5, right? And we can we can take it down a notch by different pieces of software that we use. So, and it also meets FedRamp Moderate, and it'll also meet FedRamp 20X. It's just which tool do we take and we apply in? Which which puzzle piece do we plug in? So in the beginning, if they want to go 20x, we build them a 20x system. But later, if they decide they want to go DOD, we add this and we add that, which just plugs right directly in. And then guess what you can get as well? You can get the DOD side of the house. Or if they want to take it to you know, FedRamp High, then we're gonna add SSP modules, you know, in in place. And you know, most of that's um auto-generated, so it's automatically generated on an SSP module, and it's it's language that's been audited multiple times, and since the majority of the system is ours, it makes it really easy to write, you know?

SPEAKER_00 38:08

Yeah, so it it's a it's a brilliant way to build it because it gives you flexibility in moving without having to recreate the wheel, like right. Yep, and that's what I think you know sometimes someone's entering the market and doesn't understand the full view of what's going on, and they get to this point, they build X, but X isn't able to move up to Y, and then you have to do something else. And then you see some of these companies with multiple systems that do multiple at the multiple levels, and I don't know, do you need to maintain four systems, or could you just maintain the high baseline one? I'm like, I it it's it's an interesting business problem. Um, and there's some confusion right now. Uh a lot of our calls to deal with the confusion, and I think I'm hoping some of that's cleared up. I think June there's uh is I guess officially phase three when they're releasing like what the requirements are for cloud native low.

SPEAKER_03 39:00

And and I have my fingers crossed, it's June.

SPEAKER_00 39:03

Yeah, well, let's hope there's no I don't think there's any planned government shutdowns between now and then, right? I hope not. I I can never keep track at this point, but that always adds a little uh little problem.

SPEAKER_03 39:15

A little flair to it, right?

SPEAKER_00 39:17

Um and then I'm I'm curious, you know, I think it's phase four or phase five when they start looking at the bigger infrastructure providers. Right. Because I mean, are you gonna open that? I mean, you might open it up the opportunity to look at data center companies. Um you know, and because I mean, look, everybody, oh, data center, you gotta do physical, do you? I bet you most of their network admins probably sit from sit at home and they're you know logging in and pulling data about a lot of those controls. Well, if it's in zeros and ones, you can probably pull it forward into a KSI somewhere. Now, are you gonna be able to go in and look at there's a fire extinguisher here or you know, maybe you have to do the quick is there a game?

SPEAKER_03 40:01

But I'm hoping that's where the you know his his uh desire to allow like SOC2 or ISO 27K stuff can come into play. So if you could truly leverage those that already say that guess what, he has a fire extinguisher in the right location, she has a you know uh fire suppression, you know, button, it has an automatic switch off and all that kind of stuff.

SPEAKER_00 40:24

It's not inside the room.

SPEAKER_03 40:26

Exactly. Yeah, so so you if if you could trust all that to being done, then it's like why do you have to ask the same questions over and over again?

SPEAKER_00 40:35

And you're absolutely right. I know you know one of the things we try to do, because um we're obviously uh a 3 PAO for FedRamp, but we also do CMMC, we do SOC2, we do ISO, we do PBMM, we do so if we go look at it once, we can use it multiple times. So whatever report generated that first. Um so I I do agree, I do think leveraging reports that have been done by another reputable assessor. Say the word again. Reputable assessor. There you go. Sorry. I know we have uh we had we had a little bit of a problem over the weekend with some of that. Just a little bit. Sorry. Yeah, just a tiny problem. We we don't need to dive into that one right now. That's not true. Um but yeah, I I I mean, if you're if you if those reports could be made available, um I I I don't see why you couldn't leverage those, you know, again, done by a reputable assessor who's done it. The fact, the way that it's been written today, and this is a problem with almost every one of these frameworks, and it probably goes back to one of the questions you had before about some of these bodies, accreditation bodies, it's gotta be there, it has to be their certified person. So, like CMMC, I have to have a CCA. If I'm right, if I'm um, if I'm doing FedRAMP, you have to be either a senior assessor or a junior assessor based on A2LA rules. If you're ISA, you have to be a lead auditor. If you're a SOC, you have to have the CPA sign off. If you're doing high trust, you have to have a high trust value.

SPEAKER_03 42:04

Yeah, no, no, no, and and I actually felt that with one of your audits this year that we had, right? We we we had just done a FedRAMP audit and then we did a CMMC audit and they couldn't reuse the auditing information because of what the accredited bodily was saying about the about the evidence. And it's like if it's then maybe they need to do some reciprocity there as well, you know.

SPEAKER_00 42:26

As as the operations guy, like it is the most inefficient thing for us. Um and everybody thinks it's because we're trying to push price up, but it's not. It's it's just following the rule of the land.

SPEAKER_02 42:40

Well, if you're following the rules, you're following the rules, right? Right. So you want to make sure you maintain your ability to do audits.

SPEAKER_00 42:46

Right. Right. Now, the good thing is over time it will improve because we for FedRAMP and CMMC, we're trying to get all our FedRAMP assessors cross-trained and certified, but there's also that tier three clearance requirement, which takes up to nine months. Right. So that's that's hindering the entire market right now to get CCAs cleared. We're trying to align those assessors. So we actually have our first FedRAMP annual slash CMMC assessment going on right now, where we're trying to test once, use both times because we have a senior assessor who's also a lead CCA. So now we can do that. Um but it it it does like you know, it's you know, we we get asked because we are QSA as well. Hey, can you do P well? We didn't have the QSA on that. We can't just reuse it, right? Right, right. It's gotta be someone. So it that's it becomes one of the problems with reciprocity of reports the old fashioned way. Right. Um is having those individuals cross trained, cross certified appropriate. And honestly, it's not even cross trained. A C is AC. AU is AU across all these frameworks. It's just that badge that's well, it's that badge, right?

SPEAKER_03 43:57

It's that certification for the individual. And to me That's where sometimes we get we get wrapped around the axles around some things. And maybe it shouldn't be certification to individuals. Maybe it really should be certification of an organization that properly trains their staff to be able to do multiple frameworks. Right. Now, granted, you know, you might not want to have somebody doing a SOC 2 that's doing a um a FedRamp DOD IL5 perspective. Uh, but that doesn't mean they can't be a junior assessor over there.

SPEAKER_00 44:25

Well, so interesting is we've tried to use FedRamp assessors on SOC and they overdo it.

unknown 44:31

Right.

SPEAKER_00 44:32

Right. So that's what I'm saying. Why are we losing money on this particular job? Because we're in our 15th interview on AC today. That's right. Your guy asked me that last week.

SPEAKER_03 44:42

I was like, God, guys, don't we get this together? Right. Um I I I like that just hone in just a little bit. I know we're getting close to time here too, but the training piece, you know, to me is something that we're really gonna, as a as a community, right? As an ecosystem, we're really gonna have to get together and really figure out how to make sure we have everybody trained at the right levels. And and um somehow or another, we got to figure out from a community perspective what can we do to get people educated well enough? I I personally I think we have a really good pipeline methodology for how we bring in interns and then we train our interns and they shadow somebody for almost a year before we let them do almost anything, you know, but that's a lot of investment, you know, from from from a small, you know, privately held company, you know. So it's like, how do we get that to be, you know, from a larger perspective, a larger community perspective? You know, how do we get people trained? I I I've asked this to a lot of a lot of different folks, but you know, be especially when you're being a little more senior, what are you guys doing to train your people and the staff that you're bringing on board?

SPEAKER_00 45:46

Yeah, so so we do we have done college hiring in the past. We've kind of put on a little bit of pause to see what's going on with 20x because it may change the way we look at a college hire.

SPEAKER_01 45:57

Okay.

SPEAKER_00 45:58

Um but we we usually bring in kind of similar background to me, uh, business information technology, computer information technology. So they have that little bit of capability to understand the business side, but also have done programming, have done network classes and some of that basics. When we bring them in, we set up probably about a six-week shadow program. Plus, we have these, we have recorded so many trainings by control for.

SPEAKER_03 46:23

Internal, like internal uh internal trainings. Cool, cool.

SPEAKER_00 46:26

They're they're given a curriculum when they're start, they start. They have to do certain things by certain milestones. They have a 90, uh, 30, 60, 90 day where they're supposed to finish all these trainings. Um, as we we try to keep a up-to-date knowledge resource where you know, if one of our senior guys is testing a new technology, they try to write it, hey, this is how you want to look at AC for this. So it's there. What we haven't done yet is probably enabled like an AI chatbot to make it easy to find. I found it's getting very convoluted. Like there's a lot of good information there, but if you're trying to find something quick, it's not easy to find. Right. So I think you'll we'll we'll probably have to start doing that. But it are we haven't gone down the intern route before. Um, we did it at Varis, and we were able to bring people on over a summer, have them shadow, travel out. You know, we used to travel a lot to do these assessments. Yeah, and they would be embedded with the team, they would be there for the interviews, and then you'd have someone kind of tag up with them and kind of walk them through, you know, controls and they and they would do some the write-ups at that point. Now, with 20x, you know, and the reason I said we're we're on a little bit of a college pause, I'm not sure if those same individuals are the same type of people we're gonna want to hire. I we might need someone with a little bit more coding background, someone, you know, maybe more computer engineering, computer science. Right, right. Or, you know, but there's also so many tools out there. Is it, you know, us taking a step back and looking at the tools, you know, whether it's something AI enabled and it helps, you know, scrape the information initially and then gives, you know, we're in a very, very, very, very interesting place right now, right?

SPEAKER_03 48:08

You know, there's just a whole bunch of twists and turns here that could that could be.

SPEAKER_00 48:13

You know, it's interesting. We were trying, I mean, we've always been trying to automate. I I know when I talked to some of your team earlier, we've been like you guys let us run your our scripts. Yep. We we have like some AWS scripts that we run on the command line to hey, we don't need to shoulder surf and screenshot all this stuff if you let us run this. You'd be surprised how many CSPs will just not let us do that. Um they don't want us to do that.

SPEAKER_03 48:35

We did because we we yeah, we trusted you a little bit, so yeah.

SPEAKER_00 48:39

I appreciate it. And they came back, and I I think some of the feedback was they your guys love the scripts, but some of the interpretations they had to be.

SPEAKER_03 48:45

Yeah, the interpretation sometimes can be just because that's what it's always gonna be expected.

SPEAKER_00 48:49

It is. Um, but but yeah, I you know, I think in our space, even in auditors need to innovate too. Everybody's yeah, kind of always upset with the process, but the more we try to innovate, we we get kickback from a lot. Like, oh, we don't want to do that. Like, I mean, our goal with our X ramp platform was to eventually get to the point where we collect artifacts, it would use some kind of AI in the background that we we would manage internally. You know, we would own and it would do the initial scrub of the artifacts, and then it will come back and the human would kind of validate that's right, that's right. And then potentially even write the implementation statement for us.

SPEAKER_03 49:28

You would hope. I mean, because in a lot of cases, they're very similar in nature, you know. Uh you know, there's only certain ways that you can either pass or fail, right?

SPEAKER_00 49:38

So so I I think there's a lot of ideas in the assessor space. I think you're seeing some of you know some competitors starting to pull their tools through FedRAMP 20X. Uh actually, I think I think A-line pull to send through low. They did. I don't know what I don't know if they're doing the moderate pilot.

SPEAKER_03 49:58

I don't think I see them in the pilot, but I could be wrong. I don't I don't think they're in the pilot.

SPEAKER_00 50:01

I don't know what their plan is there, but I'm assuming the tool is essentially what we're we were trying to do is how do we use AI to shorten the assessment, make it more thorough, make it more accurate, make it more consistent, and it you get rid of some of that human error, right? Like you could have your seniors help train you know the models to interpret things appropriately, and then but juniors can go through and kind of validate. And so so it's it's going I think the next three to four years are gonna be really, really, really interesting in this space. I think the advancement of the GRC engineering movement, um, moving things left. Um I think you know 20x, at least at the FedRAMP side, is will be great for CSPs. I'm not 100% sure if agencies are gonna be able to absorb it. And that's one of the questions I have still is um I know one of the things the PML has been looking for is GRC tools that can help make it digestible for we have one of those. Yes, you do. Um you know, but the the agencies are gonna are they gonna be able to interpret, you know, the results, the machine readable results, and understand, okay, that's the risk I'm signing up for. Um, that's really what it comes down to, right? Yeah, this is this is what I'm reading.

SPEAKER_03 51:15

Remember the old Booze Allen days when we had the uh the uh organizational change management? There's gonna be have to be some organizational change management uh done here and some edge, a lot of education. Um, but I could actually I could actually see you know 20x being get you get you in the marketplace, and you still have to have some kind of Fed you know Rev5 kind of um to get a product. I tell all my guys.

SPEAKER_00 51:38

So I think it's gonna ultimately be a hybrid approach for a while. And then you talk about everybody who's already Rev5 and then the transition period, because I mean there's some big complex systems out there, and how are they gonna implement these KSIs if they haven't really thought about it? Again, this is the purposeful build. They're gonna have to I and I I I'm not an engineer, but I imagine it's gonna be a lot of re-engineering time and money and investment to go back if you're I don't know, AWS or Google. Well, maybe not, right? Maybe not Google. Google does a lot of innovative. I I mean, but I have to imagine some of these big IBM systems, some of these big like Salesforce, like, man, that's gotta be a huge Herculean effect. It's gotta have to be. Yeah. It's gonna be large, large efforts.

SPEAKER_03 52:27

But if it saves some time and money in the long run, it'll be very it'll be very worth it, you know? Well, and if it's reusable across which will make it very worthwhile to use, right? So is what is once the agencies start accepting them um and then can be able to be able to ingest the the information, I think that's what's gonna really start to keep every flavor.

SPEAKER_00 52:47

So we're starting to look at some of these international frameworks, and we get asked about them all the time because we do the FedRAP, which is typically the high baseline, and you know, controls whether it's you know ISO, whether it's NIST, um they're being used around the world now. Right. And you know, if you think about you know, Australia's got iRAP, you've got all kinds of them in in Europe, uh Asia, and you know, if this if for it to be this automation to be successful and and and kind of invested in by these big companies, is it going to be reusable in other places? Um because otherwise, I think some of them will hold on to the Rev5 process as long as possible. And I don't know. Because that's what they know. It's it's it's what they know. What's up they know is what they've invested in, right? Yep.

SPEAKER_03 53:32

That's what everybody's trained on. They know how to produce the Kanman reports, the Poam reports, uh you know, they know how to go through the audits. So I think they're gonna be here for a while, you know.

SPEAKER_00 53:42

If you can get everybody to do it and get everybody to buy, which is a big if, um you'll start seeing, okay, it's worth our investment.

SPEAKER_03 53:52

Um and then I I described this to somebody recently is um in the beginning days of FedRAM, there were there were five people who were certified, then there were 12, then there were 18, then there were 24, then there were 36, you know. But once it caught on, it caught on and it caught on big. And that and and to their success was what slowed them down a bit, right? So I I think we're gonna see the same thing here is in the beginning, there's gonna be some forward-leaning early adopters, and I think I think those early adopters are gonna be the one that's gonna drive it, not just from a CSP perspective, but also from an agency perspective. Because I believe there are gonna be some agencies out there. Uh we've we've had some discussions with them and they seem to be interested in it. And um, you know, we like to see it you know actually turn into something. Um, but you know, that's that I think that's what that's gonna happen. That's gonna happen over time. I think everybody wants it right now. Well, right, haven't finished the pilots let yet. So let's get the pilots finished and then kind of move from there.

SPEAKER_00 54:50

So I tell you, my uh our sales team is constantly like, hey, we need more collateral about 20x. We need more. I'm like, guys, I it hasn't been defined yet completely. So like we're waiting for June.

SPEAKER_03 55:03

So it's funny, it's funny you say that. So we developed uh some 20x low um um information, and I'm gonna have Caitlin speak in on this just for a second. And so we're developing our our our our you know our our moderate information, and I was like, Caitlin, we need to update this information because it's not even accurate anymore.

SPEAKER_00 55:24

Right. Well, I mean it it and God bless them, they they're transparent, but man, they change all I mean it yeah, there's like a new RF.

SPEAKER_03 55:32

But just the whole naming, right? From authorization to validations to sound like. All I can think about is is is truck driver licenses, right? CDL, CDL, class C license. Right. I'm gonna be again toxic hazard waste.

SPEAKER_00 55:51

It's backwards because we you know we're we're used to grading systems, so A is like the top. Well now D is high, right? So it's kind of backwards.

SPEAKER_03 56:01

You know, um yeah. I I I I think it's really cool that uh that he's that he's taking it here because you know one of the things that people have always worried about was low meant low security, and low never meant low security. Low meant it just doesn't control right. Right, you got a baseline that you're working against, that's what you're measuring against. That's the that's the that's the that's the main thing. And I think that's what he was trying to get away from. So but you know, we've we've gone you know um a a good long time, and uh I appreciate the conversation. I feel like I could talk to you all day long because I think Yeah, I'm sure there's topics we probably didn't cover that we could. Oh, I I I bet there's a million topics we haven't covered, and maybe we do it again sometime. Uh it'd be great to do a a larger round table uh with folks uh as well from a practitioner perspective. I I think that's what we need to hear from more practitioners talking about this stuff and the reality of what it really takes uh to get there. Um Do you have any questions for me?

SPEAKER_00 56:55

I know I've been here peppering you with a whole bunch of different questions, but do you have anything for me than the last uh I mean I so I I think we kind of talked about them a little, but I was gonna ask, because you've got more of the engineering background than I do, you know, what do you see as some of the, you know, if you think about some of these more complicated, more complex cloud native systems, like what do you think some of the their hangups will be in in actually implementing something like 20x?

SPEAKER_03 57:22

Yeah, I I I let me put them in two different buckets, if that's okay. Um so in the cloud native side, you know, if you're leveraging a large IaaS and then large capability there, and you're leveraging a lot of their more modern technology when you Kubernetes or serverless or anything like that, it's it's gonna be challenging, but it's not gonna be impossible, right? But if if you're a huge monolith and you haven't looked at updating your architecture or haven't looked at updating the way you deploy things or the way you manage things, it's gonna be difficult because it's it's gonna make you think about how do I make my my application more modern? And I don't mean like a modern from a use case from a user perspective. I mean from an underlying infrastructure perspective. You know, so so you're gonna have two camps. And there's even a third camp, which is like I have a data center I'm in, and I have you know things on different pieces of hardware. So how do I how do I do that as well? You know, uh and I think that's the the order that you're gonna see them. People who have modern modern architectures are it's gonna be a challenge, but it's not gonna be impossible, right? People who have the larger, older um um uh architectures, software architectures, uh, then it's gonna be harder. And it it it might be almost impossible for you to get the stuff out of it because that part of the logging system hasn't uh updated in X amount of years, as an example, right? Um to get the information out that you need. I and I think the folks who have the data centers are gonna be the biggest, biggest challenge. But that doesn't mean you can't build some kind of validation mechanism out there that then reaches into everything and then pulls everything back as well. But it will be, I think, I think more of more of an effort in that perspective, in my opinion.

SPEAKER_00 59:02

So are you are you happy about not having to do the SSPs in the future?

SPEAKER_03 59:09

You know, for us, um, since we built the same thing pretty much over uh almost every single time, um, it's not that wasn't that big of a deal for us. Uh SSPs were not a not a huge uh huge you know uh granted, we have some complicated customers that we work with, and then their application made some comp complicated methodologies for uh SSP development. But since we started doing the accelerators, uh our SSP development probably went from you know 500 hours down to a hundred hours of of of of time and or probably even less, uh depending on the complexity of the system.

SPEAKER_00 59:49

So um I I wanted to get it well, I don't know how much time we have left, but the whole you know AI in the FedRAM space conversation and what you know what are some of your concerns? Um I know from the assessment side, we we've started to evaluate AI in our pen tests and some of the things that we are able to do. Um and there's not like that overlay yet and or a KSI associated with it yet. And curious like what your thoughts are with with the you know rapid expansion of AI and and the need for it in the market to stay competitive.

SPEAKER_03 1:00:25

I mean it's it's it you know for us, we're all in on AI. We we we we use it almost everywhere except in production, right? Um, but we do use it for pen testing. You know, we have an automated pen testing bot that we use. Um now we always have human in the loop and we have very strong um infrastructure, core infrastructure, because you know we're pipe guys, we build pipes to get stuff from point A to point B. So we're very concerned about how that information flows. So making sure that you have that solid security foundation, I think is still the start of any doing any of this stuff, but then figuring out what the boundaries are that you need to put around the AI um is key. And here again, leveraging tools that you know, not something that you just downloaded off the internet. Right. So I I think is is is key. I I could go on for for days probably.

SPEAKER_00 1:01:16

Yeah, I I I I was I at some point I want to pull the thread about the um the pen test pot because I I'm curious if it if it's pushing back a lot of false positives that your guys have to go through.

SPEAKER_03 1:01:27

Of course they do, you know? Yeah, yeah, absolutely. Um scanning tools, you're they do do the same thing, right? They give they give so many false positives that then you get you gotta spend some time kind of figuring out. But in our architectures, we we've seen them before, so we know what they are, and we can say that's a false positive. I could without even doing any uh analysis on it, I could tell you that's a false positive. Because I know that I have this compensating control, I have this over here, I have this over here, unless something just totally broke, you know, because we we only do it on our our infrastructures, we only do it on things that we know. So we know what the outcome should be. Does that make sense? Right.

SPEAKER_00 1:02:04

Well, I mean, yeah. I mean, if you're I I think the PMO has said it when they're out there is like you know what you've built, you should know what the outcomes of these things are going to be. Exactly. So we build it to show those outcomes and then we'll we'll see what you got, right? Exactly. Yep. Uh and it it's it's interesting times.

SPEAKER_03 1:02:21

Um is a great time to be in this industry. I'm I'm I'm thoroughly 100% uh loving it. And um, you know, I don't see um it changing anytime soon. It's probably moving faster than it's ever moved in my entire life.

SPEAKER_01 1:02:37

Yes.

SPEAKER_03 1:02:37

And and I've been doing this for a day or two, you know, back back back in the days of the mainframes and uh the systems, systems that were prolific everywhere, you know. Uh the old unique.

SPEAKER_00 1:02:47

I was gonna say 2025, we've we got the policy changes and we got all the technology influx with and it's all it's one or the other. And when they both hit at the same time, it's like how do you keep up?

SPEAKER_03 1:03:00

Yeah, well, if you have some more time, I wouldn't mind I mind asking you some soft touch questions around uh you know, I I like to ask a few questions around you like um you know, what's your favorite book or what you know what book are you recommending to people? Uh whether it's on a business side or it's a personal side that you like.

SPEAKER_00 1:03:16

So yeah, so I I I was thinking about this because I have watched some of your previous ones. I'm a spy novel guy. So like think Tom Clancy or those kind of like I don't know why I love the Jack Ryan Jr. stuff. Um I I just what I read. I'm one of those people when I read, I I I like to let my mind just go absolutely something like fiction world. Um you'll find me, you know, I was the kid who read the Harry Potter books as soon as they came out. And I, you know, kind of read the uh this I it was booked Aragon, and there was like these three it was just about a dragon rider, and I'm like, those like I just I just I I I'm at that interesting part of my life where my kids take up a lot of my time outside of working. And I I I've told my my wife, I'm like, I just want to go on a vacation where I can kill, I can read two books during that week. Because that's what we used to do. We used to go, we have to sit on the beach and just read, read, read. Like, I want to get we're almost there. I have a 17-year-old. Yeah, almost with born, but then I have the I still have an 11-year-old. Um, but yeah, I would say from a business side, I'm more like an article reader. Or I I have Headway, um, which is one of those, you know, micro, micro learning apps. So I'll go to the gym in the morning and I'll try to listen to something about AI or finance, or and I'll try to just get that quick understanding of it. And I found like it's funny, I like you don't think that would pump you up at the gym. Like you're sitting there about bench press and and you hey, let's talk about this financial topic. I'm like, oh, this is great. Like that's what I like. Yeah. Yeah. Um, but so that's what I I I kind of I do from those two perspectives. I read a lot of articles uh from a business perspective. I I do the headway or an app like that. I don't want to not advertise in the headway. Um and then yes, spy novels or something, just to let my brain relax.

SPEAKER_03 1:05:10

I like um apocalyptic um zombies and and uh uh The Stand is one of my favorite favorite books. If you've never read it, Stephen King, great book. Um from a business perspective, you know, my my taste goes anywhere from leadership uh to marketing. And uh I don't really read too many like security books because I read articles on security. I'm I'm a non-stop learner from from um reading what people write on LinkedIn or a Medium or um you know other places, uh constantly pulling that stuff in because there's just so much to learn. I mean, it's just it's amazing how much uh is out there uh that people are just putting out, which which makes it real easy, in my opinion, uh to learn. So always be always be learning is what I always. Say so.

SPEAKER_00 1:06:01

It's a ton of content. I mean, you think about all the podcasts about almost every topic. That too.

SPEAKER_03 1:06:06

I listen to the non-stop podcasts too, um, quite often as well. Sometimes I might listen to them on two speed. So if you listen to this on two speed, I'm gonna talk real fast right now.

SPEAKER_00 1:06:16

Yeah, yeah. I do that occasionally as well. It's like, all right, they're talking a little slow. Let me tell you. Let me speed up a little bit. Let me speed up a little bit.

SPEAKER_03 1:06:23

So how about your favorite television show or uh movie that you're that you're watching?

SPEAKER_00 1:06:28

So I I'm I'm definitely an Abbott sports fan. I'm I'm a really active guy. Um so I'm one of those 5 a.m. go to the gym guys, work all day, go play golf afternoon, or take my kids to sports. Um so so I try to get outside or or do something active quite a bit. But I do like uh my wife and I are watching Landman right now on Paramount Plus. Um I I'm sure we'll follow it up with the Yellowstone series. We just got Paramount Plus, so we'll just see um I like if I'm not watching something with my wife, I like kind of historical fiction. Okay. Um so if you think of something like I don't even know, eh, it's still fiction. Like Last Kingdom on Netflix. It's about the expansion of how England became England, and I just thought that was an all it's an awesome show. Um, but I'll watch things. I think there was Marco Polo on Netflix. Right. Um those are the things I like Vikings. Uh Vikings, yeah. All kind of like those older, like much more you know, ancient. I don't want to say ancient, but you know, just how we evolved. Before the Middle Ages, we're the Middle Ages. Yeah, yeah. Before the Middle Ages, I just think it's all really interesting. Um, and I love those kind of series when they have them on when so if I'm watching something by myself, that's what it is. If not during football season, Abbott College football and NFL fan. Um watching the NCAA tournament right now, you know, as much as I can, although apparently I'm watching it too much, according to my wife. So but it is what it is. Um there you go. But yeah, those are the things I typically do.

SPEAKER_03 1:08:05

So we do we also do like a lot of nonprofit services around here. Uh and and you know, do you do you do anything like that? Do you give um spend time giving back to nonprofit organizations or you know, service-based organizations at all? Yeah, so what what's your latest, what is your latest passion?

SPEAKER_00 1:08:23

So um my son, one of my my youngest son has nepherotic syndrome, which is a kidney disease, a rare kidney disease. So we uh, you know, we try to participate in some things with like neph cure and and things around that. Um we, you know, I coach, I I try to coach uh while I'm coaching soccer, starts next week. I'm like, yay, a bunch of 11-year-olds, 15, 11-year-olds is but you know what, I'm gonna miss it when it's gone, so I gotta take advantage of it when I can. Um so I try to, you know, where I can give time to kind of teaching kids, and you know, I don't try to just teach them the sport, but kind of teach them some of the values around it. Like if you're gonna try something, you know, put put your all into it, or if you're gonna commit. And um, you know, it's probably uh as a company, uh we we do some like James is really passionate about um helping, you know, kind of uh adults with you know some learning impairments. Uh we have this whole hygiene program where we're trying to help you know people with these impairments from being taken advantage of from a cybersecurity standpoint. Okay, that's cool. So it's it's one of the things James is trying to get us more into doing is more recent. Um so I but most of my time um, you know, probably around kids, neph cure, um doing those types of things. I have a feeling as as I my parenting becomes a little less intensive, I'll I'll start doing that.

SPEAKER_03 1:09:50

You'll find more time. And it's amazing how good it feels um to give back. Uh we uh my my youngest son has Down syndrome, and so we spend a lot of time in um Special Olympics. And uh we're doing we're doing events all over the place all the time. And um it really uh it makes you think about life totally different and uh gives you a totally different perspective. And then my wife sets on a couple of nonprofit boards. One of them is the child abuse prevention uh team here in Wilkes County, and it's all about court-ordered um supervised visits, uh, you know, things you don't even think about when you're just when you're living the lives that we have the privilege to live, you know. Right. Um, the about the families who have to go to supervised visits and it gives them a nice peaceful home uh to go to uh from a visitation perspective. And it really makes it easier on the children. Um, you know, whether the the the father or the mother has a court-ordered um you know supervised visit, and then you know, we we I don't I don't do it. I watch it from the from the from afar. But uh yeah, we we do support it you know quite a bit financially. And um it really is a it's a it's a good thing, you know, in communities. And here again, you just don't think about it, you know, when you're not really around it. Because we're I don't know about you, but I'm not around that on a daily basis, uh other than you know, listening to my wife and and watching what what goes on over there. So well, I truly appreciate uh the time uh that you give us today. Uh hopefully you enjoyed it. And uh you will maybe come back for another. There you go. It flies by. Yeah, that's it. That's it. Uh we we like uh nice chilled vibe, and I think that's kind of who we are. I mean, I think you know that, you know, uh we're just kind of easygoing people and we really want to just see you know people succeed, companies succeed, you know, CSPs succeed in in all of this as well. But um, you know, it might not always be me uh behind the shield, but you'll always find somebody at Infusion Points behind the shield, trying to get as much knowledge out there as possible. Cheers. That's okay and peace out. Thank you. Thanks, man. Thanks, thanks for your time.

SPEAKER_01 1:11:57

All right.