From Acceleration to ATO: Navigating Defense Tech, Divestitures, and the Future of FedRAMP Artwork

Behind the Shield

Behind the Shield is InfusionPoints’ podcast where we sit down with partners, customers, and industry leaders to talk about FedRAMP, compliance, and cybersecurity in today’s government landscape. Each episode offers laid-back, insightful conversations that blend expertise with real-world experiences.

All Episodes

Behind the Shield

From Acceleration to ATO: Navigating Defense Tech, Divestitures, and the Future of FedRAMP

May 05, 2026 • InfusionPoints • Season 1 • Episode 32

0:00 | 1:02:38

In this episode of Behind the Shield, we sit down with Phil Hickson alongside InfusionPoints’ Jackson Gorman and Jason Shropshire for a deep dive into the evolving world of Defense Tech and federal compliance.

Phil shares a behind-the-scenes look at navigating a complex FedRAMP ATO journey during a major divestiture, including standing up a new authorization boundary while maintaining compliance and customer continuity. The conversation explores the challenges of scaling secure cloud services across federal and DoD environments, from BCAP connections and IL4/IL5 considerations to managing risk at scale.

We also unpack what modernization looks like today. With FedRAMP 20x gaining momentum, the group discusses how Defense Tech companies can balance legacy requirements with continuous validation and automated evidence. The result is a candid look at where compliance is headed and what it means for companies building for mission-critical environments.

If you’re working in Defense Tech, selling into federal or DoD markets, or trying to make sense of where FedRAMP is going next, this episode offers practical insight from people actively navigating the shift.

Chapters:
00:08 Introduction and Guest Welcome
00:31 Phil's Experience with CSPs
02:34 Divestiture and Omnissa's Origin
05:20 Challenges with FedRAMP and DOD
15:22 Navigating DOD Authorization
33:45 Modernization and 20X Discussion
49:18 Phil's Origin Story in Compliance
55:44 Lighthearted Questions and Wrap-up

Guest Links:
Phil Hickson- https://www.linkedin.com/in/philhickson/
Omnissa- https://www.linkedin.com/company/omnissa/
Omnissa trust center | Cloud security & compliance- https://www.omnissa.com/trust-center/
Omnissa Products and Platform Services- https://www.omnissa.com/products/
https://www.omnissa.com/

About Omnissa:
Omnissa provides an industry-leading digital workspace platform of services that simplifies the delivery, management, and security of devices, apps, and services to employees and IT teams alike.
Explore Omnissa - the digital work platform leader- https://www.omnissa.com/about-us/

InfusionPoints Links:
Jason Shropshire- https://www.linkedin.com/in/shrop/
Jackson Gorman- https://www.linkedin.com/in/jacksonagorman/
https://www.linkedin.com/company/infusionpoints/
https://infusionpoints.com/
https://xbu40.com/
FedRAMP 20x Quick Look Assessment for CSPs: https://xbu40.com/assessment
'SWFT, cATO, 20x and Rev 4 Drag Still Inside DoD Cloud Authorization' Blog: https://infusionpoints.com/blogs/swft-cato-20x-and-rev-4-drag-still-inside-dow-cloud-authorization

InfusionPoints & AWS:
InfusionPoints is proud to be an Amazon Web Services Premier Tier Services Partner, supporting organizations in building, managing, and defending secure cloud environments.

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.

SPEAKER_00 0:08

All right. Well, welcome back to another episode of Behind the Shield. Um, today I've got a couple of uh great guests, our very own Jackson Gorman.

SPEAKER_03 0:19

Hey, good to be back.

SPEAKER_00 0:20

Say hello, Jackson. And we have uh Phil Hickson, our our good friend and uh multi- multi-time client now. Hey, Phil. Hey, good to be here. I appreciate the invite. Yeah, glad to have you on. Um so so, Phil, you know, uniquely, one thing that strikes me about you and your experience from your chair is uh having the experience of building a tier a tier two CSP's ATO over you know a number of years um through consolidation and and uh of multiple products that were brought in through acquisition and that kind of thing, the ins and outs of that, the complexities of that, and then you know managing that at scale, um, and then you know having quite a bit of sales volume in that environment, uh, and then going through a divestiture to where you're currently at now, you know, with with uh Omnissa, um you know, from the the uh the the VMware EUC you know product line. What uh I mean I've always thought, gosh, there's not a whole lot of people that have done that, right? Um so tell us a little bit about that experience and and how that what that's been like for you.

SPEAKER_01 1:37

Yeah, um interesting, right? Because like you said, uh as far as we're aware also, that hasn't been something that too many folks have had to navigate. Um like set to set the context a little bit, right? So um Omnissa now is what you know three years ago was the end user computing division of VMware. Um primary product lines right then and and still now are Horizon and Workspace One for BDI and device management. And um, you know, at the time, you know, three years ago when Broadcom announced that they were gonna buy VMware, uh I remember sitting there with the uh the rest of the government services team. We had you know 60, 70 people working on the FedRamp program over there for VMware. And I said, ah, Broadcom doesn't have FedRamp, we'll be fine. Turns out Broadcom doesn't want FedRamp. You know, they're not they're not that wasn't their business model and they weren't interested in delivering cloud services. Yeah, right. And so, and so uh, you know, as as things transpired, we realized, okay, um that that's not the direction they're headed. And not only that, you know, they were consolidating the portfolio. They had some you know specific strategic things they wanted to do with the acquisition. But the good thing for end-user computing was you know, it was a pretty tight consolidated portfolio. Uh, you know, when you think about that sort of remote work, device management, and and kind of user access use case.

SPEAKER_00 3:03

It was already sort of a core product in in and of itself, right?

SPEAKER_01 3:06

Yeah, and it and it had you know pretty substantial market share uh in that segment. And so, you know, I think BryCom recognized that it wasn't in the strategy, but it was also a very concise piece that they could spin off. And so they did, and and that is uh now the origin of Omnissa. And so, you know, there's a lot of complexities uh in executing the divestiture, you know, partly is taking end user computing division and making it a company, right? And so there was a lot of different components and uh functions and things being brought into the organization to supplement what was really just kind of you know engineering and product heavy. Um that was also partly us, right? VMblar had a very centralized FedRAMP team, so they took a little slice of us that had experience working with the end user computing uh portfolio, and we came over to help kind of sustain that function uh form NISA. Right. Um so a lot of complexities with the Divesture on its own, but FedRAMP is a particularly challenging thing because you think back to the VMware days, they had a central control plane that the VMware federal team was operating. And then we were bringing individual applications from the product portfolio, which is pretty broad, right? A lot of VMware had a lot of stuff in the in the menu, uh, bringing those services in and operating them all off that centralized Federant control plane. And so when we say we're gonna spin off Omnissa, well, Workspace One can't just spin off. We can't just take the control plane with us, right? And so that's of course when uh you know we started to figure out well, how do we do this? We got in touch with you guys and uh started looking for our own Omnissa control plane solution, which you know we've leveraged with great success the uh the landing zone that that you guys offer. Um and so uh the the interesting thing, the challenging thing was that we had to sustain a connection to the FedRAMP authorization that VMware was running while we built an authorized kind of a separate stack over here on the side. Um and for a variety of reasons, you know, we weren't able to take the existing production workloads, the existing customer tenants, and do like a data migration from the VMware stack into the new Omnisus stack. We had to actually retain those production tenants and physically move them, network them over to the new Omniset boundary. And so, you know, it's one it's one thing to think of that as like a networking problem. It's another to think about a compliance problem and how you navigate redrawing the the boundary lines and you know what is the sequence of activities that means you don't go into some some sort of non-compliant twilight zone uh in the middle of it. And so we had conversations with FedPMO, we had a lot of conversations with our three pal. Uh we had a lot of conversations, you know, thinking about how do we do this. And and the consistent thing was like, oh, well, this is a novel problem. And and uh, like so many things, you know, it kind of turned out, hey, if we could propose something that made sense, something you know that was clearly built or designed to respect maintaining security controls and the integrity of the boundary, most of the stakeholders were willing to kind of go like, okay, yeah, that works and and let's let's try it. And so um, you know, that's really what we did. We stood up the second authorization boundary um for NISA. Once that was fully authorized, then we executed uh a cutover of those production applications onto the new boundary. And, you know, there it was kind of a phased activity. We did it in, you know, some sort of specific steps and chunks, um, but in a relatively short period of time, had everything off of one control plane and onto another. Um, and you know, in that between the process, there was, you know, either working off the VGS authorization boundary or the omnisci authorization boundary, and uh it went pretty smoothly.

SPEAKER_00 7:10

Yeah, I mean, I I know we go ahead, Jackson.

SPEAKER_03 7:13

I remember those early days, like trying to architect it and put it on paper was one of the most challenging things because you had this novel concept that to our knowledge nobody's ever done before, with a really large-scale environment. Um, on top of that, there was a lot of changes within Federant PMO as well as um on the DoD side, and we haven't really even scratched the surface there. Uh so trying to navigate the the architecture itself and the swing on top of a totally different landscape within the governance structure through Federamp and DOD. Um, I was like, is this even gonna work? You know, like we're putting it on paper in theory, and I'm really happy to say now that it did, and over time we were able to effectively plan it so that it ultimately didn't impact the boundary, it didn't impact your customers. But, you know, you might have not have known at the start, but I was definitely like a little wary. I was like, hmm, we're gonna be confident about this, we're gonna go in strong, but this is this is new, you know, it's we gotta really be thoughtful about it.

SPEAKER_01 8:17

And to add complexity, as if the situation needed it, we scrap the jab and start spitting up FedRAMP 20X while that's all happening.

SPEAKER_00 8:25

Yeah, right. Oh yeah, yeah. All the change going on right in the middle of the project, right? Yeah. Like the like in the middle of of our big change, the the the whole process is shifting on us. Um so yeah, but uh when uh when something zigs, we zag, right?

SPEAKER_01 8:45

Well, and you know, one thing I remember being a bit of a challenge was trying to decide, you know, we were going from a jab authorization to VMware, and now all of a sudden, in the midst of our transition, that's not even on the table anymore. There is no jab. So now we're starting to talk to agency partners and say, hey guys, here's this organization change that's happening. And oh, by the way, we got to talk about it in the context of the programmatic change at FedRAMP, and you know, we need to talk to you guys about sponsorship. And, you know, we did find some excellent and receptive partners, but it was a challenging conversation to sort of enter into because these are partners who've been consuming our service perhaps for years, but always in the context of a jab organization. And that's you know, a fundamentally different level of engagement from them. So it was kind of an interesting thing to have to approach them with that um and and ask for it. In a way, I I kind of think in retrospect that the dissolution of the jab simplified that because we could point to that and say, we need your agency sponsorship because of this.

SPEAKER_00 9:50

That was the impetus. Yeah.

SPEAKER_01 9:52

Yeah. There is no other option. I don't think we would have been able to sustain a jab authorization. We had some really early discussions with the PMO about that, and they were very reluctant to set a precedent that you could spin off a jab authorization off another jab authorization just because there was the vestiture. And so I think we were going to be forced down probably an agency path, regardless, just given the circumstances. But, you know, as it turns out, there weren't any alternatives anyway.

SPEAKER_00 10:17

Right. Yeah, I'm sitting here thinking like the like among the people here on, you know, in this podcast, we we've sort of had that purview to see the the change required from a people process and technology standpoint. Like all three were dramatically impacted. Um, I mean, it feels to me like the people side of it as far as just socializing the change um to the stakeholders, right, was probably the hardest part. Yeah. I mean, yeah.

SPEAKER_03 10:47

I mean, there was that impetus you described with the jab dissolution. I think you're right, Phil, that's spot on. It definitely helped the discussion because it's, you know, you're layering in this really novel concept and uh what feels like uh a major change. But I think the strategy was so effective because you were able to describe that nothing on your workloads are changing, the risk posture isn't changing, the customer implementation or the you know, responsibility isn't changing, none of that is um, and because of that, you have a much cleaner narrative where in the background, you know, a lot is going on under the hood effectively to make sure that we're working with the appropriate 3PAO, uh, with Fortrium, as well as with various review teams, um, which, you know, I think uh lower tempers a little bit, right? It was able to get that narrative across a little easier.

SPEAKER_01 11:43

Yeah. And I, you know, I will say too, just the partnership that we have with you, as well as our long-standing relationship with Fortrium, you know, those kind of partnerships were exceedingly helpful because A, you're just bringing more brains to the whiteboard when you're trying to figure out how this works, more perspectives, more prior experiences, uh, even if it wasn't this scenario, you know, just fresher ideas. And then two, you know, going to somebody like the PMO with three partners and saying, hey, this is what we've come up with. Um, I think one, it was probably a better product, a better suggestion. And two, you know, we can carry that with a bit more confidence than saying like this is what we came up with in isolation. So that value of partnerships is huge. Yeah.

unknown 12:33

Yeah.

SPEAKER_03 12:35

Yeah, go ahead, Jason.

SPEAKER_00 12:37

Well, I was just gonna say we've um we we've always played really well with our three PO partners, you know, across the table. Um, but some uh you know, Fortrium specifically, have have really leaned in with us to learn um our platform capabilities and and how our team operates and and processes. So you probably benefited from uh you know some of that um knowledge that had been built up together as a team, you know, at other places, um, I would suspect. Yeah, that helps.

SPEAKER_01 13:10

I mean the other thing that that we had that I think is a huge advantage is that um EUC and specifically the Workspace One team have been doing FedRAP for quite a long time, right? They started out with a FedRAP moderate um that wasn't the consolidated BGS boundary, it was just Workspace One, um started as an agency authorization. Uh at some point, you know, in the VMware journey, kind of upshifted that and brought it into the BGS boundary at the high level. Um, so there's a pretty good bench of experience on the engineering side here of folks working in the FedRAMP environment and you know managing a federal system at that security control level. And and that amount of experience uh translated well when we had to now navigate something kind of uncertain as well. There was a good there was a good baseline to start.

SPEAKER_00 13:58

Yeah, and and Phil, like um, you know, going back to 2017, I think we were involved at VMware and knew the EUC product line uh pretty well, um, help helped with VMC uh and consolidating the ATO from an advisory standpoint. This is when we were developing our engineering chops still. Um, but I think our knowledge there helped as well. I mean, it just as as a team, you know, Fortrium knew us, we knew VMware already. I mean, it just sort of gelled. So cool.

SPEAKER_01 14:32

A lot of collective time on the trail, so to speak.

SPEAKER_00 14:35

Yeah, exactly. What'd you have, Jack?

SPEAKER_03 14:39

We didn't really, yeah, we didn't really talk much about the DOD element there. Um and what I found interesting, especially because we're seeing it a lot lately, is the the technical considerations of like a BCAP connection, right? And how to grapple with both, hey, I need to support my federal civilian workloads on this side, but I also have these use cases at IL 4 and IL5, um, and the the inherent friction that comes with that. And I wanted to I wanted to dig into that a little bit and and get your lens on it from you know, we already talked about this ATO journey from uh FedRAM side, but kind of the journey on the DOD side and and what you've been experiencing there.

SPEAKER_01 15:22

Yeah, um that has been a long journey. Um going even back to the VMware days when we were uh getting that Fed High ATO, um we were already at that point interested in trying to get you know a DO DOD at the time impact level five authorization, now it'd be impact level four, right? Because it wasn't national security systems at the time. Um you know, and as I look at it in retrospect, having now been through more of the formal onboarding, and we're now, you know, as we speak, working on that VCAP connection process, you know, one of the gaps that I think was just we didn't know what we didn't know at VMware was the only iteration that VMware team had done was with VMC. That was with you know VMC, which was a platform service, as opposed to Workspace One, which is a SaaS service. And if, you know, I know you do you guys are familiar, but if anyone else is familiar, like getting into the SRG, there's some important distinctions that get drawn out when you're talking about SaaS versus passive IaaS in you know in a lot of different sections. And so I think we didn't appreciate some of the um architectural changes that we would need to do that BCAP connection, especially to meet some of the requirements around DNS management, IP addressing, you know, things like that. In in hindsight, I think that caused some friction that really slowed us down with those early attempts. Um but you know sometimes working with a DOD team, it's it's difficult to get feedback, right? Stuff gets up there and kind of gets stuck and and we couldn't flush out like what is the problem, and it would it wasn't being articulated. And so when we came and started working with you guys with a DoD authorization in scope, um, you know, I think we were at a point of starting to uh understand what some of the challenges were, and you guys were able to bring your prior experience working through DoD authorizations, um, which has been a huge help because seeing past that veil of like JVT kickoff, you know, with the DoD team is is hard, right? You don't get a lot of information until you're in a black box for the first time you're going through it. And that's a little late to start learning lessons like, oh, there was an architectural consideration we hadn't made. Um there's always going to be a certain level of that, I think, but um that was a challenge, and it I think it's one that now we're seeing uh some progress against, and and a lot of that has to do again with just knowing a little bit better what to expect. Yeah, for sure.

SPEAKER_03 18:00

I appreciate the insight too from uh your perspective, because sometimes uh we definitely share a lot of that, like, yeah, it's a black box and things do change fairly often. Um but just kind of understanding that from your perspective, I think, is helpful, especially for those who are watching or listening to this. Um being able to understand which door to knock on and have the belly buttons and be like, oh yeah, yeah. I know I kind of know who can make this process move a little faster, especially when the logistics are even harder than the technical requirements sometimes. Yeah. There's a lot of fuss from engineering teams about, oh, how am I gonna make this work? And you know, at the end of the day, sometimes you get to that point and they're like, Yep, we'll just flip this switch for you and you're you're good to go. Um but getting to that point where they flip the switch is a rig and roll, it's very challenging. Uh, and I think that what we're trying to, and hopefully with this new push on 20x and the DevTech uh software fast tracking, we can see a little bit more of that modernization. Um where and how that looks, I think is yet to be seen. But we're trying to pilot some of those solutions, you know, within within these military environments as well, so that they can get access to these latest solutions, such as Workspace One, um, and not be mired in long-term logistics battles to get there.

SPEAKER_01 19:25

Yeah. Yep. That's a big piece. And of course, all of that is explained and and captured in the elegance of DOD regulatory writing. Which right, that that makes it uh you know all the more difficult to sift through like what are we supposed to do with this? I feel like I can say that, like, having been a former army guy, like I appreciate the elegance of regulatory writing, but uh yeah, that's a that's another layer.

SPEAKER_03 19:51

The audience there sometimes it's a little it's written to a specific audience. The CSP is not always in mind. Um, but I we've seen some updates coming out that as this is now a year out now, but the um CSP SRG kind of giving a little bit more of a lens there. Uh they just released uh the controls crosswalk for what we just had a blog on, which is this emerging friction where you're still seeing Rev4 systems on component level packages, you know, and how does that work where it just is mandating that you have to, you know, you got to move to Rev5, and then we have on FedRAMP, you know, we're moving into the future with 20x. Yeah. Um, and I think all that goes to help illuminate the path a little bit more and illuminate their expectations, uh, but it still requires a little bit of help sometimes to make sure that you're not running into a pitfall, like you mentioned, down the line when you've already invested a lot of time and uh cycles into the solution.

SPEAKER_01 20:49

Yeah, and I mean, and you get out a point there that worries me a little bit looking forward is the DOD's velocity to be able to stay at you know in step with some of the things happening on the FedRamp side. Because, you know, they leverage that FedRamp work tremendously.

SPEAKER_00 21:05

Um traditionally, yeah, absolutely.

SPEAKER_01 21:08

Yeah, and and if if we lose that, if if there starts to be a gap there, I think that's gonna be really costly because I mean, as you guys know, right now, if anything, like velocity and automation are two things that BOD's still gotta kind of figure out in their authorization process. It's still you know a pretty small team, it's still pretty manual, and right that does that does not necessarily align very well with some of the objectives that you know Federam 20X is trying to execute on.

SPEAKER_00 21:37

I mean that that that's that's something that that we saw early. We we were kind of expecting um the DoD Swift initiative to sort of ride the coattails of 20x with maybe some additional requirements or some some degree of reciprocity, kind of like um the the DOD SRG rode the coattails of FedR of FedRamp Rev. First it was uh FedRamp version one, then version two was based on Rev four, I think. And then then they started just calling it Rev 5. Yeah. Um, but but yeah, I mean it it's um I mean one has always been predicated on the other because the work that NIST does, right, is is designed to be reusable across um the entire government, including the military. Um but yeah, I mean it it seems to have stalled out. It it's uh I mean uh we haven't heard much about Swift. Um you know, we're now in year two of the administration and uh soon to be, you know, you we're not that far away from from um you know being being past the halfway point.

SPEAKER_01 22:43

So and not to be too tongue-in-cheek, I feel like there's kind of like maybe two tracks of experience happening with the VOD right now. And if you've got like AI at the end of your name, you are able to like move fast and accelerate some things, and you know, obviously there's a point to that, right? And they're trying to enable some capabilities quickly, but I think there's some some authorization activity that's moving at a different speed and to a different uh level of uh maybe rigor.

SPEAKER_00 23:12

True story, Phil. We were talking to uh a very large, well-known AI company um some months back, and uh you know uh they'll remain nameless for the purpose of the conversation, but um uh Pete Hegseth came out and said yes, they'll be available on on DOD networks next month, and then we never heard from them again. Right. Compliance solved. Yeah, exactly. Yeah, so it's uh it's definitely uh interesting times where where compliance could be optional in some some cases. Yeah.

SPEAKER_01 23:50

Whereas meanwhile, I'm gonna still talk to my technical rep every month about you know individual line items on my deviation request sheet, you know.

SPEAKER_00 23:58

Yep. Yeah, the full rigor for you, buddy.

SPEAKER_01 24:02

Yeah. Full rigor, all of it. You get the whole thing.

SPEAKER_00 24:05

That's the the most beauty thing I've read all day. Yeah. I I wanted to unpack a little bit more because nobody talks about this as far as the the intricacies that you mention of of um you know for the BCAP connection with regard to if if if you're delivering uh infrastructure as a service or you know, kind of a platform level, or you know, versus a SaaS, right? And uniquely VMC, I remember talking to the uh you know originally briefing um a VMware sponsor uh for IELTV on what VMC is, right? And and how it didn't fit I well, it's sort of fit both categories of a SaaS um and an infrastructure as a service, right? Because basically it was a SaaS application that delivered an infrastructure as a service for each tenant, right? And it managed it it that way. Um and you know, uniquely, so so that you know, as far as getting, you know, the whole purpose of BCAP is um being able to get to the service or the endpoints or the workloads over a DOD network and not having to traverse the public internet, right? Yeah, you know, to get to the SaaS part of that, right? It's it's basically getting to the endpoint. Um to get to the infrastructure, well, that that could be more of a mission by mission um requirement or or or layer, right? So I remember having that diagram of of uh you know each delivered tenant, uh, you know, each instance of the the SDDC, the soft, soft, I can't think of the even the what I think. Software defined data center. Yeah. Software-defined data center, thank you. Um, you know, had its own networking layer and and and that could be purposed along with um you know the uh different services on the AWS side, because it's all hosted in AWS, um, to then have that DX connection back to a particular mission owner's network, right? Um I mean what what what are the differences that uh that you saw, you know, in in in working through that on the you know, instead of just VMC, what does it look look like for a SaaS just in your experience?

SPEAKER_01 26:30

Yeah, I I think the difference, right, is that on the SaaS side, the the DOD mission owner as the tenant really doesn't have control over any of those networking elements, right? And so the SRG, you can tell, was really kind of written originally thinking about maybe something like an SDBC infrastructure type of service. And and I think, you know, uh in in their defense, you know, the folks at DISA have have you know really gotten more aware of what some of the challenges in SaaS and the distinctions between like SAS and IaaS are, and they do make quite a lot of references, you know, to exceptions in the case of SAS. Um, but you know, there's still like some fundamental stuff that I think is just sort of tilted towards IaaS in in the SAG requirements. Um but you know, for us, because the tenant couldn't manage any of that stuff, now we're having to make decisions like, okay, well, I guess we, you know, the SaaS owners, we're gonna get the domain space, we're gonna get the DoD ID uh IP space, and and trying to figure out just how to architect that, how to, you know, how should it look? Um, how do we run that DOD infrastructure next to our commercial, you know, our com I'll say commercial, but you know, our other non-DOD FedRAMP infrastructure was something that we had to really sit down and work through, and we did that a lot together. Um Yeah. The other thing that's complicating about that, of course, is the SRG, you know, it'll say, okay, here's the rule, and and it's a little different if you're SaaS, and oh, there is an exception process. So then you're kind of left with that third wild card of like, well, do we seek an exception? And and you know, we talk to mission owners and they're like, no, no, do not submit an exception. Like, that'll take forever. Um, you know, so it's trying to figure out like what's the path that you want to take. The the one area that I'm kind of interested to see how it evolves over time as an alternative to BCAP is the CNAT or the cloud native access coin. Because the SRG does reference it, right? And it kind of talks about how you know you as the cloud service provider can operate something akin to those BCAP, you know, edge protections and and you know, still sit fulfill the same functions, and that would alleviate the need to route traffic across uh you know the the Nipper net and you know across the IAPs and that kind of thing. Um they talk about it, but the SRG is like a little reference that says, and the CNAP's a thing, go read the design doc on CNAP. And it doesn't really talk about it anymore. And so it's like it's kind of there, like you could do it, but I don't think it's been really in I I don't get the sense that it's been really internalized. I'd be interested to see if it's been operationalized and kind of like under what circumstances it's been made to work. Like has a cloud service provider been able to actually successfully implement and get approval of CNAP type architecture? Because I think there's a lot of potential there, especially when you look at a lot of the things that we're doing in the FedRAMP control plane. Um, and and Mark, you know, my uh compliance me, he's he's done a pretty good analysis of the CNAP uh requirements against like what we're doing in the control plane. I think there's a pretty good argument to be made for like meeting the CNAP requirements. It's just do you want to roll the dice on trying to get that authorized when it's it's clearly kind of something new? Right.

SPEAKER_03 29:53

Yeah. And on that point, uh you kind of looking at it from the mission owner side too. Um I was just having a conversation with another one of our customers yesterday on this topic. And one of the risks is just around the reuse, you know. Um, when you approach mission owner A, uh they may be, hey, fine, I just want to buy the thing. You know, I want to consume the software and um meet my mission. Uh mission owner B, they may see that in there and be like, CNAP. No, no, no, no, no. You know, I don't I that's that's I'm not gonna sign off on that risk. So it's really challenging to navigate in order to not only have DISA aware and have that, you know, either codified in your provisional authorization letter or kind of going through the connection approval office and saying, hey, we're gonna we're gonna execute on your your waiver for what in their eyes is a single cloud information technology project per their uh SNAP registration. So it's like for that mission owner, you may have it, for this one, you may not. And being able to have a flexible uh approach within your platform is key to that. And I think to your point, Phil, there's a lot of opportunity. Um we have used the CNAP architecture and in theory and in practice for transit account connectivity across those isolated network paths. Um it's just being, you know, I think that gives you some flexibility uh to to approach it. It's i i just calling that out. I think there's a there's a level of risk there on reuse that uh always kind of comes up when I think through this stuff.

SPEAKER_01 31:31

Yeah, there's not necessarily pay to be the first one in line to try to do the thing.

SPEAKER_00 31:37

Right. Not always, unless it really comes down in your favor, the decisions. Yeah, exactly. Um you're gonna roll the dice along. Yeah, and there's a category of cloud provider in this space also that that they themselves or what they're selling looks a lot like um those protections in the SECA, right? Um, which are those, you know, that that protection layer. Um and and you know, it's it's a really awkward conversation to say, hey, you have a you have to have the same protection layer in front of your application that's also designed to be a protection layer uh for the mission owners that would adopt it, you know. And it's like, well, what will that do to latency? And uh isn't that gonna, you know. Um so you know, we've had those conversations as well, but then, you know, I mean, the struggle is is depending on your mission owner, um there may not sometimes there's just not somebody to have the conversation with, right? That's gonna understand it at that level. Um, to allow the exception, like in my opinion, some of these things should be exceptions because of the very nature of the cloud service is zero trust or or um you know, some kind of edge protection layer itself, right? So why are we routing it through edge protection? I mean, this is designed for a different use case.

unknown 33:07

Yeah.

SPEAKER_01 33:08

Yeah, I think that's that's definitely it. And we feel a little bit of that, right? As as mobile device management kind of being at the the heart of the Workspace One application suite, it's like when you look at what kind of traffic uh you know you're you're getting, a lot of it is coming off public internet, right? A lot of those devices aren't necessarily on the Nipponet now. And so you're you know, you're having to talk about doing some different routing because you gotta you you know you gotta hit the right riggots, basically.

SPEAKER_00 33:35

Yeah, that's interesting to get onto Nipponet so you can get to the service to I great discussion, I think.

SPEAKER_03 33:47

Um I'd love to explore what monetization looks like to you guys. For me, we've been exploring that topic a lot as we've been ingrained and uh just got our 20x moderate, I think, well class C, right? Uh if we're going by that terminology. Um a lot of that is operational evidence, right? So uh go ahead, Jason. I'd love your thoughts.

SPEAKER_00 34:11

Well, uh, you know, there's been two reactions that that people in our chair, you know, in our chair have have had to 20x, right? It's either, you know, no, we're deaf tech, we're we're old school DOD, we're not gonna look at that that that new 20x stuff, or or we're gonna lean into it, right? And and I think there have been far fewer that I've seen leaning into it. And and we made a very conscious early decision to to lean into it and see where it goes, um, you know, is is is our perspective. And really that comes from a standpoint of you know what what Pete Pete Waterman has uh coined the term um, what do you call it, FedRamp um fatigue or just the you know, FedRamp trauma, I think is what he's called it. Um but you know, I think everybody here in this podcast has had our own FedRamp trauma. Um but it's it's all the things that were broken about the FedRamp process and us seeing customers get stymied, you know, in their final review over things that shouldn't have been a big deal. Uh they they could have told us about them once they had a chance to review it and we could have fixed it, but it didn't need to hold up an ATO, just things like that. Um uh that as well as just the the fundamental lack of of um capacity in the program um that's that's played it uh to some degree. So I mean we really leaned into it heavily just just to see where it could go to and and to to do our part to help.

SPEAKER_01 35:48

Yeah, I mean I think it makes sense, and that's gonna have to be a big piece, right? Is like what are the the tools, the resources available in order to execute on those requirements, right? So I'm kind of excited to see where you know the accelerator uh platform in and kind of that integration with 20x where that goes, because yeah, I mean, you know, it's I like a lot of what Fedoramp seems to be doing, and necessarily they're not being super specific on implementation, right? It's kind of like you know, set the standards and let's see what people do with it. So um you gotta get some things out in the marketplace though, if it's gonna, if it's gonna work, it's gonna have legs.

SPEAKER_00 36:25

Yeah. Yeah, I mean, we we took XPU40 platform through it. We've kind of the classic accelerator term, we're we're uh I think transitioning to XP 40 uh as our platform name, and then you know the classic accelerator is now the XPU40 single single tenant or um standalone. Um so we'll build that for a customer like like Omnissa. You know, mainly our our larger customers that that that are gonna have more scale, don't want to be, you know, in a multi-tenant um environment. So but uh but yeah, you know, 20x is is is is interesting. I mean, it it's it's also uniquely positioned us um to help glue together the old and the new, you know, because we built XBU40, the whole platform, all of our automations around um the the classic approach, the Rev5 approach, and all the way up to DOD IL5. Um and we just took that existing platform and figured out you know how to how to reflect the the KSIs around that. And and then um there's a a layer of KSIs that we cover and a layer that our customers have to cover or the the checks within the KSIs that they have to cover. Um so uniquely, you know, our platform can cover down on either path that you're going. If we have one customer that that just started with us that, you know, they weren't they're they're still not certain which path is going to open up to them, and and they've got opportunities all the way to DOD um IL5, but they would love to get into FedRamp um as soon as they can. So we're taking them down 20x first, uh, and with with a way to rapidly prove all the RED-5 controls uh to get them on the DOD path in parallel. So it's uh it's a fun place to be for folks in the industry with that specific need of flexibility to be able to get to either either direction um and to help them kind of um you know kind of have a bridge uh in between during this period of which way are things gonna go.

SPEAKER_01 38:40

So yeah, and and I think you alluded to it earlier, the answer for an intermediate time might just be both, right? You might have to kind of account for the emerging Federal requirements as well as legacy DoD requirements if you want to be in both spaces. And uh yeah, but you know, it's an interesting thing. I I assume eventually that the DoD is gonna kind of figure out how to turn the ship. Um, it's just a slow turn. And you know, and I get it, like their risk profile is different. And you know, so it's kind of maybe it's a question of figuring out like what's the the modular extra that can satisfy DOD risk tolerance being lowered, but still mimic or follow kind of the operational observability heart of 20x.

SPEAKER_03 39:26

That's what's gonna be fun. Um is trying to find the efficiencies between both and delivering packages that at the end of the day are more real time. They're giving you an active wrist posture and can then be viewed and generated anytime you want, versus that you're looking 30 days in the past when you finally get around to reviewing it. Um and given the relationship that we've built over there with the the JVT analysts, those scars, I think that they're gonna be really happy to see this type of technology because sometimes it it's a s it's a struggle, you know, being able to not only um monitor risk for the many packages that are on the Disc Cloud marketplace, but also respond to it and and kick it up the chain when needed. Um just being able to have a consumable package that could integrate with EMAS or integrate easily into their workflow, give them visual that's right now very manual, right? But in the future, we hope we can kind of get them on that train. And if they see that as a value add, you know, um, we'd love to be able to deliver that, not only for you, but at the end of the day, right, for the mission owner and for the authorizing official who's got to sign off on the risk. Um I'm super excited to see that type of innovation.

SPEAKER_01 40:44

You know, and I wonder too a little bit, like, is there a space in the future where the DOD is able to decentralize ownership of some of that authorization process? And I get it, you know, like disauthorizes the cloud and you know, the mission o's are authorizing the workloads and things. But um, the fact that all of your monthly, you know, Kanmon, all of the authorization decisions still kind of filter through DISA and then trickle down, that you know, that's always gonna be a bit of a choke point. That's always gonna be a scaling issue. And I I don't know, I I would hope that maybe there's a point where the DOD can kind of figure out how to push some of that responsibility uh down onto the mission owner level so that again you could just move a little more freely. Because, you know, unless you just make that you know, that team up there at the cloud assessments division massive, um you're always gonna have a bit of a scale issue or a choke point.

SPEAKER_00 41:39

Yeah, yeah, along along that line, Phil, like one thing that that I learned this year, and I I think I I knew about it, but I didn't realize the scale of it until um I went out to FCO West conference uh out in in San Diego. It's a big naval conference, um, DefTech, like all the different vendors uh for the Navy come out, uh, including like AI and software companies and and you name it. Um but I I took uh almost the entire time I just walk the expo and talk to people, uh, talk to tables. Uniquely at these dev tech conferences, you get a chance to talk to a lot of C levels uh instead of marketing folks. So you the the conversations are just deeper, right? And it's more about you know the uh priorities of the of the company. You can have conversations more at that level. But um one thing that I learned is there's a huge amount of software being delivered that could be delivered as cloud, uh, you know, in DOD cloud, but it's not. It's being delivered more mission by mission independently in Army's Army or Navy or you know, whichever um side of the of the armed forces that that it is. Um, but it's being delivered you know into different enclaves. Um you know, C Army is one of them. I think NavC is one, but it's just there there's a a lot of that. In fact, you know, I think I walked and talked to 17 different um booths tables. Hardly anybody even knew what the DISA cloud process is. Um I mean, I was amazed. I was amazed, but but they have software deployed here and there, um, or they're managing multiple instances. There's one company that I met um that that's all that they had done. They had built a business um you know developing fleet management software, right? And um, and and they deploy wherever the their customer wants it deployed. I mean, then they manage it there as well. Um you know, the amount of sprawl. I mean like like you talk about building a massive cloud force or you know cloud workforce in DISA to to do these authorizations. It's like it's already there. It's just spread out everywhere uh and being done. That's a good point. Um, you know, in in a distributed way already. It's just uh uh it really hit me like a a ton of bricks. Um that'd be a good GAO report. Yeah, yeah, really. Really.

SPEAKER_03 44:30

Yeah, and then you get that you get that um that new customer that comes in or the current one that's like, hey, mandate came down, we gotta move to cloud. Uh-oh. Or I can't really even buy your software because I got nowhere to put it. I have to put it in cloud. And if you don't want to go to or you can't go to a cloud brokerage that you describe, then okay, SOL. I gotta pack my bags and we're not gonna win this deal. Um so it's a massive problem, I think, that you just highlighted there, Jason.

SPEAKER_00 44:58

I mean, uh I look at the the distant marketplace differently now because I've I'd always wondered why is this growing so slowly? Why is it seem to be the only the um the very largest companies? And then it dawned on me that, well, it's because that they're at the scale that they can't deploy in one of those mill clouds, right? They have to they have to manage their deployment independently uh because the team is too big that that that manages that. Um so that's why they they end up going through the DISA PA because they were too big uh to go through any any one mission owner's environment. Um but I still think that DISA is the tail wagging the dog a bit um and and not the other way around. It was really insightful um to to go to that. But this customer that we met that did the fleet management, uh fleet management software, uh they're letting us take them because they have a customer on the the uh Fed Civ side that's approved to purchase, like they want to buy it, but they have nobody to to manage the ATO. That that uh that agency just doesn't they don't manage um FedRamp ATOs at all. Um so we, you know, thanks to FedR FedRamp 20X and and some of the reforms, we're taking them through 20x certification now um on the SaaS side so that they can sell into that that agency. Now we're still very interested in how it's gonna play out um because by the rules, the way they stand today, certific certification lasts what, two years until you've you have to pick up a a sponsor, right? So we'll we'll see how that plays out. But uh we're really hopeful that that we can open doors for some of these companies that just haven't had a way to sell uh into their customer.

SPEAKER_01 46:52

Yeah, and I mean that's interesting too, right? Because you you get a lot of spectrum across agencies on what sort of resources they have to do this sort of compliance management piece. We have some very engaged, pretty deep bench, you know, they'll really get into it and understand you know the 853 uh requirements really, really well. And then and others you might hardly ever hear from. And I mean, that's not to say that they're not looking at it, right? But I think a lot of it comes down to resourcing that they have available to do that because you know, you think about the amount of work it takes to sit down and go through monthly reports on a Rev5 package, if you're being thorough, and then you're gonna repeat that over how many different services that you might consume in the cloud. And and after a while, yeah, it's a it's a pretty big chunk of work just to maintain that kind of month over month consumption. So hopefully 20x you know helps you know make that a little bit more consumable and and it's not as heavy a management overhead.

SPEAKER_03 47:53

Definitely. Um that's something we've been even kind of thinking through is like ATO management, especially for agencies that don't have a centralized view of that and risk profile for each of the SaaS offerings that they consume. Um were those agencies that maybe, like you said, more in a the crawl stage and they're you know, they don't have as many ATOs that they're um overseeing. Um but just like we talked about earlier, having that at a glance view of where you're at takes that equation out where I don't need to parse through all these scans and I don't need to then go back to you to check in on this ret finding from six months ago because I finally got around to looking at it. Um it you just have an active view of, oh, here's where we stand. Um and if they do have a question or concern, can address that in real time for what is an active risk.

SPEAKER_01 48:45

It makes me think it's it's like the SOC having alert fatigue, right? You throw so much information at them every month with a standard Kanban report that it's just kind of like, oh my gosh, like what matters here? And hopefully, right, with 20x and and that kind of dashboard view of the world, you can actually say, like, ah, now I I will know when I have an issue. I will know when something really requires a deeper look. And that'll take a little bit of time to find just the right recipe and build the confidence. But I think there's I think there's a good potential there, and that's what that's what they need if they're gonna actually consume widely.

SPEAKER_00 49:18

All right. Well, I would love to keep keep geek geeking out on this uh dev tech topic all day long, and we could. Um but I wanted to shift topics real quick and our time left. Uh, I'd love to give folks an opportunity to hear the unique origin stories in in uh in this compliance and engineering space. So, Bill, I wanted to give you kind of a chance to talk to our listeners uh you know through that and and how you got into this uh this space.

SPEAKER_01 49:48

Yeah, um I'll I'll try not to be too uh loquacious about it, but if anything, it ought to be a hopeful story. Like if you know you too can work in federal compliance. Um so you know, I got out of college, right? I went to ROTC. I was in the Army for about a decade. Um, you know, my wife and I were starting to have a family and said, okay, it's time to kind of hang it up. You know, we didn't want to be moving around and kind of having that lifestyle. And so got out of the Army and I started initially working for Honeywell, doing some aerospace work. Um it was really you know project management type work around um aerospace manufacturing schedules. And um so did that for five or six years, um, really enjoyed it, learned a lot. And uh at some point in time we said, hey, we want to move back close to you know my wife's family is uh in Wisconsin, which is where we're at now. And so we were gonna build a house, you know, but now we're talking about doing all that stuff out of state. And the bank came and they said, Well, you have a job in Wisconsin, right? And I was like, What? No, in Kansas City. And and turns out, right, that's kind of the expectation around lending out of state is that you can have like a clear path to employment um once you're in state. And so I said, Oh man, I gotta like I gotta find something else to do. And uh at the time, a good friend of mine who you guys know, Chris, uh he had started on with VMware working in the FedRAMP team, but really on like the DOD and you know, T or you know, secret and TS levels uh that VMware was doing. And he said, Hey, there's a program management job open. And I said, Man, like I don't know, like IT is not my background. And then he's like, it's fine, it's program management. And uh, you know, to a point that is true, um, I will also say I have learned a tremendous amount over the last five years, you know, just trying to come to grips with the technology and the architectures. And, you know, the the one thing I'll say, starting in VMware, where as one of the FedRamp program managers, I was really focused on onboarding new products into the FedRamp boundary. It gave me a chance to touch a lot of different things. And while that felt like drinking from the fire hose uh, you know, a lot early on, it is also exposing me to a lot of different architectures and technologies and things like that. And they had a great team over there, you know. And so uh tip of my hat to Joe Whittles, who was, you know, the uh the lead over there, our manager, and um, they had a really fantastic compliance team, um, which I'm thankful, you know, Mark. I got to stay with Mark as we came over here to Omnissa. Uh, he goes way back on the VMware site as well. There's a lot of expertise over there, so it was a great place to learn. Um, and yeah, I sometimes I say I've Googled my way through uh learning the IT uh compliance uh topic, but uh yeah, you know, it's it's also it's kind of an open book test, right? Like a lot of government-related things, a lot of it's written down. You just gotta you know take some time and spend some time in the books and try to absorb it. So that's that's how I ended up here. Uh a little bit of uh connection and friendly suggestion, and then uh a lot of help from smart folks along the way.

SPEAKER_00 52:58

Yeah, you're uh you know, you mentioning drinking from the fire hose. I remember when we when we started working for for VMware, um, specifically for VMC, we got a lot of uh exposure to the the VMC teams. Um and it was it was the first time that you know that I would say that we had been exposed at that level um uh to to in cloud engineers that were that were building this stuff. And man, when you take um gray area compliance requirements to to these types of engineers, it they they just look at you like they just balk at it.

SPEAKER_04 53:35

Yeah.

SPEAKER_00 53:36

I remember that being some very uncomfortable uh few weeks when we were starting and we had to get our act together on on uh how to work with engineering teams a lot better. But um the language is fundamentally different. It really is, it really is. And uh you gotta do your homework ahead of time. Uh and uh and and uh maybe is never a good answer.

SPEAKER_01 54:00

Um so yeah. Yeah, I mean I think a lot of it comes down to like trying to keep the perspective on like what is the what is the end state, what is a control or requirement trying to accomplish, and then let's troubleshoot how we can get there. Yeah, and you know, honestly, there's a lot of the same experience at Honeywell, you know, totally different side of engineering, right? But sometimes you get some conversations and you go down a rabbit hole. You go down that technical rabbit hole, and all of a sudden my eyes are rolled back in my head, and like I don't blackout, I don't know what happened. Um, because they can talk at such a depth that you know I'll never be there. But um, you know, you try to find that balance and and again I think keep your gaze a little further on the horizon about what you're trying to accomplish. Um, you know, you figure it out.

SPEAKER_00 54:46

Yeah, I mean, we we were taking a management consulting approach uh in those early years with FedRamp, and we realized that if we're gonna keep doing this, we got to get deeply technical. Uh so we really went back to our roots and kind of you know sharpened our pencils and and uh took a whole lot of training classes, um, watched a whole lot of YouTube. But um, and and you know that that was really the origin of the platform, too. I mean, a lot of what we saw VMware build in the UCP and you know, the control plane uh that you were talking about earlier inspired us to build our you know our own control plane. So um that that was a great time because it it was uh transformative for us um and kind of led us to where we are today. But um, but yeah, cool cool story. Um lightning around questions, Jackson. Did you do you have any?

SPEAKER_03 55:44

Oh, put me on the spot here. I guess uh Phil if you had to go if you had to go back by you know a year and a half now, right? When we first started kind of getting the initial planning going, um would you say the biggest lesson learned for you was now that we're here today. We got the ATO and cut over was executed.

SPEAKER_01 56:09

Yeah. Um I mean I I think maybe I'm I'm speaking a little bit from my own chair here, but you just gotta get into the conversations and start drawing some pictures and and like putting the details down because honestly, that's where the stuff gets fleshed out. And um, you know, I again I'll give a tip of my hat to our federal engineering folks. I think, you know, they get a lot on their plates, right? So you gotta be thoughtful about you know respecting kind of the cycles and and making sure you put enough time in for planning, but they'll come to the table and have those conversations. And and when you do, that's when you really start to have the breakthroughs. So, you know, it's tempting to kind of try to sit in a box and create a big plan. Um, but you really got to get out there and like pressure test it with the engineering teams, you know, go talk to your 3KO, get those different perspectives, and and that's how you're gonna find your solution. So just draw it, draw it and get into the weeds early and often, I think.

SPEAKER_02 57:15

Yeah.

SPEAKER_00 57:17

All right, we got to do lighthearted questions from now on. It's good. This is the fun segment, Jackson. I hear Jackson has some great film recommendations.

SPEAKER_03 57:26

I'm not I'm not honest enough, you know. I I learned my lesson. If you invite me, if you invite me back again, I'll make sure you note that down.

SPEAKER_00 57:33

You're always welcome here, Jackson. All right. A favorite TV show or something you're watching right now.

SPEAKER_01 57:43

I'm I'm pretty excited for the uh next season of Ted Lasso to come out. I heard uh that's coming out in August. I'm pretty excited for that. Nice.

SPEAKER_03 57:51

I've been watching um Your Friends and Neighbors on Apple TV, and great show. Um I think John Ham kills it.

SPEAKER_02 58:00

Of course you have. That's like he's gonna say something that I watched.

SPEAKER_03 58:06

Okay, but I didn't say some obscure, just like random, you know, indie film from ten years ago. You can't hear the other one we watch either.

SPEAKER_01 58:19

Favorite show of mine that I've just got my kids or I'm trying to get my kids into is this is a bit of a throwback, but uh Firefly. Um they're like big on Star Wars. I've got them in Lord of the Rings, uh, but I'm I'm trying to get them excited about Firefly. That's kind of the next thing on my list.

SPEAKER_00 58:37

Nice. I've got a teenager that can't get out of the record store. Like he's got a vinyl collection going and and uh yeah, it's no TV though. He doesn't do a whole lot of TV shows. Rare that is not a bad problem to have. It's very rare. Well, it's it's but but it's YouTube. You know, it they're on YouTube all the time. So don't, you know, I'm no better off. All right, so it's like do you have even dumber? Yeah, yeah, exactly. Much dumber. Um any I don't know, unusual hobbies that we wouldn't suspect? Anything like that? Or just a hobby that we would suspect.

SPEAKER_03 59:16

I feel like my yeah, you go first, Jerry. But I have been getting into Dungeons and Dragons with some buddies. Nice um and they're buddies, and we do that virtually, so I I don't have all the stuff yet, but that's been a lot of fun.

SPEAKER_00 59:37

I love the AI uh r response, Jackson. They're working all the time.

SPEAKER_01 59:42

Yeah, well, my kids are in elementary school, so it's like my hobbies are a lot of doing stuff that they're doing. Uh, you know, they're playing baseball and soccer and they're in scouts and that kind of stuff. So, you know, I've spent a lot of time doing those things. Um, I still try to get out and play soccer when I can, but uh the uh the older and older I get, the closer and closer I realize to hitting the end of my soccer playing days, so I'll have to pick up something a little more gentle here at some point.

SPEAKER_00 1:00:09

Yeah, you're in that you're in that stage of your hobbies or their hobbies, their hobbies, right?

SPEAKER_01 1:00:16

Yeah, yeah, a little bit. A little bit, which is fun though, right? Because you know, then we get them trying things that we like, um board games and stuff like that, and they're pretty receptive to it, so that's fun.

SPEAKER_00 1:00:28

Yeah, we're actually taking our uh scout tree um to the the local camp here this weekend, so I'm trying to get that all packed up tonight.

SPEAKER_01 1:00:39

Yeah, our pack uh we just had our Pinewood Derby race through the year, and they for the last two years have done an adult heat, so you can do your own car, no weight limit. And my wife got into it this year actually. She was like the designer on uh what was the second fastest car in the pack.

SPEAKER_00 1:00:55

So I'm not bad. Pretty happy with that. So my kids were in the in this the the pack uh in Mooresville, North Carolina, which is also known as Ray City, like all the race shops for NASCAR are there. So the Pinewood Derby is just a dumpster fire of guys on testosterone that are like over-engineering the hell out of the house. Yeah, overbuilding their cars and their kids' cars and fist fights breaking out, and you it's just it's not good. Not a healthy thing.

SPEAKER_03 1:01:22

Yeah, I grew up in Mooresville, so it was like stone throw, you would hit some someone in NASCAR, a spot or a driver, you know. He couldn't avoid it.

SPEAKER_00 1:01:34

Well, that that's an excellent episode, guys. I think it was a great conversation, Phil. We really uh really appreciate you coming on. We appreciate you being a friend. And uh yeah, I loved it.

SPEAKER_01 1:01:47

Hey, I appreciate the invite. It's fun, enjoy talking shop, and you know, it's uh it's great. I've learned a lot from you guys, you know, and and so being able to come here and sharing that experience a little bit is I think it's really valuable for us, you know. Like just to get back to that origin story. You know, I learned a heck of a lot from the VGS team, and that was a great place to start, but there's things that just having a partnership with you guys that have given me insights and helped me learn. Um this would be a hard job to do in isolation.

SPEAKER_00 1:02:17

Cool. So I really appreciate that. Thanks so much for watching Behind the Shield. Oh, go go ahead, Jackson. No, it's just good to reflect on it sometimes. That's all I decided.

SPEAKER_02 1:02:27

Cool. Thanks, guys. Thank you.