Breaking Into Def Tech: The Top 5 Challenges Facing Modern Companies Artwork

Behind the Shield

Behind the Shield is InfusionPoints’ podcast where we sit down with partners, customers, and industry leaders to talk about FedRAMP, compliance, and cybersecurity in today’s government landscape. Each episode offers laid-back, insightful conversations that blend expertise with real-world experiences.

All Episodes

Behind the Shield

Breaking Into Def Tech: The Top 5 Challenges Facing Modern Companies

May 19, 2026 • InfusionPoints • Season 1 • Episode 34

0:00 | 47:00

The Defense Tech market is full of opportunity, but getting into the space is far from simple.

In this episode of Behind the Shield, InfusionPoints COO Jason Shropshire and CEO Gary Daemer each share their perspectives on the top 5 challenges companies face when trying to break into the Defense Tech and Department of Defense market. The conversation highlights how technical, operational, and business challenges can look very different depending on where companies are in their federal journey.

From navigating FedRAMP and the DoD Cloud Computing Security Requirements Guide (DoD CC SRG) to finding sponsorship, securing IL4/IL5 authorizations, and surviving long ATO timelines, this conversation offers a candid look at the operational, technical, and business realities of entering the federal and defense markets.

The discussion also explores:
• Why sponsorship is one of the biggest barriers to entry
• The difference between FedRAMP and DoD authorization pathways
• Challenges around IL4 and IL5 environments
• The impact of RMF, DISA, BCAP, and eMASS processes
• Why predictability and automation matter for modern compliance
• Hardening requirements, STIGs, and securing cloud environments
• The business realities of getting a second and third government customer
• How FedRAMP 20x and automation could reshape the future of Defense Tech compliance

Whether you're a startup trying to break into Defense Tech, a cloud service provider pursuing federal business, or an established company navigating DoD requirements, this episode provides practical insight from a team actively helping organizations operate in regulated federal environments.

What You’ll Learn:
• The biggest mistakes companies make entering Defense Tech
• Why compliance alone does not guarantee success
• The hidden complexity of IL4/IL5 authorizations
• How authorization delays impact business growth
• Where the Defense Tech market may be headed next

Learn more about InfusionPoints:
https://www.linkedin.com/company/infusionpoints/
Gary Daemer: https://www.linkedin.com/in/infusionpoints/
Jason Shropshire: https://www.linkedin.com/in/shrop/
Request a Demo: https://xbu40.com/
Blogs:
SWFT, cATO, 20x and the Rev. 4 Drag Still Inside DoW Cloud Authorization:
https://infusionpoints.com/blogs/swft-cato-20x-and-rev-4-drag-still-inside-dow-cloud-authorization
The Quiet Convergence: why DoD DevSecOps, SWFT, and FedRAMP 20x are Starting to Rhyme:
https://infusionpoints.com/blogs/quiet-convergence-why-dod-devsecops-swft-and-fedramp-20x-are-starting-rhyme
Subscribe for more conversations on FedRAMP, Defense Tech, cybersecurity, cloud compliance, and the future of continuous authorization.

InfusionPoints & AWS:
InfusionPoints is proud to be an Amazon Web Services Premier Tier Services Partner, supporting organizations in building, managing, and defending secure cloud environments.

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.

SPEAKER_02 0:10

So welcome back everybody to another episode of Behind the Shield Podcast. I'm your host today, uh Jason Shropshire, and I'm joined by our co-host, Gary Damer. Mr. Gary Damer.

SPEAKER_00 0:21

Absolutely. It's a pleasure uh to be here again.

SPEAKER_02 0:24

It's been a while since it's been a while since we've talked.

SPEAKER_00 0:26

It's been a while since we've talked, yeah, exactly, on the podcast. Um we thought you know this would be a pretty good episode for us to dive a little bit deeper into the world of the Department of War slash Department of Defense, depending on where doing business as, department. Doing business as, uh as Department of War. And we we thought we would try to maybe give some kind of um challenges and struggles that we see um companies kind of going through trying to get into the um and and into doing business with uh um in this def tech space, defense tech space. And what I really like to do uh, if we can is kind of talk about like what are what are our top five um challenges that we see, you know, trying to get into this business. Now, I know we talked a little bit before this, but we really didn't talk a lot about before this. I think we have different perspectives on what the top five challenges are because you know you the customers that you work with look at things maybe slightly different than the customers that I look at. And sometimes I'm looking at it from a pure infusion points perspective and not from what does it what do the individual customers you know have um um what they see as challenges uh within this space. So I'd love to hear from your perspective what you've seen, say over the last six to nine months to a year in people trying to get into this market, what what's the real struggle here?

SPEAKER_02 1:46

Yeah, and I mean we'll get into my top five and your top five. I think that there's gonna be some agreement, some overlap.

SPEAKER_00 1:51

There's definitely some overlap, but you know.

SPEAKER_02 1:53

Um but I think for me, you know, going out. I mean, we we got into this space mainly through FedRamp, right? Yep. So we were supporting, you know, customers going through FedRAMP. A lot of these are large, like tier two CSPs that that are kind of both right below the Azure AWS GCP kind of level, uh, but still very large uh in their own right. Um, and you know, they have broad applicability to all sectors of government, right? Including DOD and DOW.

SPEAKER_00 2:25

Right.

SPEAKER_02 2:25

Um, so uh based on that, these customers are pursuing, um, while they're pursuing like a contracts with DHS or GSA, uh they're also pursuing contracts with components in the in the DOD.

SPEAKER_00 2:39

Right, because they have services that'll work in both spaces, right? Yep.

SPEAKER_02 2:42

And um, you know, there's a very specific program for CSPs that that meet that that criteria that we got immersed in very quickly just through our FedRAMP work, and that's the DOD Cloud Computing Security Requirements Guide. Always a big mouthful. It is DOD C C S R G. Um I know it as. That that basically exactly that basically amends the requirements uh for for FedRAMP. So um, you know, for a while the only path was through FedRamp Moderate, and then they bumped that up to also support FedRamp High once that pathway came out. And um, you know, from there you can get your aisle two, which eventually they they made just fully reciprocal to FedRamp moderate. Uh, and then they um you know have the the moderate to um uh aisle four path and and the high to aisle five path as kind of the current recognized uh pathways to to do that. And again, you know, what we've seen. So a good number of our customers.

SPEAKER_00 3:45

What is like the IL IL path? What is IL mean and what's impact level? Okay. So and what's the difference between like IL four and IL five? What's the big difference between those?

SPEAKER_02 3:55

Yeah, uh basically there's additional requirements that come into scope when you go from IL4 to IL5. IL5 is very um explicit about being um the level where CUI can come into scope, right? Um, specifically um national security sensitive uh CUI, right? Uh and and there's been a lot of effort to to make that very clear in the latest versions of the SRG that NSS is required, the NSS control is required in IL5. But it's always been the intent of IL5 was to cover those workloads that have national security implications but are still unclassed.

SPEAKER_00 4:34

Right, right.

SPEAKER_02 4:35

Got it, got it. Um, but yeah, from a from our customer standpoint, it's always been those that have, you know, been going down the the the FedSiv pathway uh through FedRamp, and then they're adding on the ability to sell into DOD at IL4 and IL5. They're trying to work their way up the watermarks to sell at all different levels. Right, right. Uh and then, you know, from my perspective, my eyes opened up a lot going, you know, we we've been attending more AFCA events and DevTech kind of events um lately. And and this year I had a chance to go out to AFCIA West um in uh San Diego, and uh I was really what what amazed me was how few of the folks that I talked to who are provide some software of some kind to DOD, DOW, how few even really knew about the DODCCSRG process.

SPEAKER_00 5:31

Which is the only one that I ever knew about at the very beginning of all those processes, right? So Right.

SPEAKER_02 5:35

But but these guys have have made a living at um you know, and maybe they have a pedigree that came from the DOW, right? Or they've got a lot of background there, but they're like, you know what, I know of a specific insight because I've been in in in uh maybe I was in the service myself or as a civilian and I saw very unique needs the DOW has, uh, and I I'm gonna build a solution for that and put start a company around it. Right. And then they use their connections and contacts to kind of sell direct, right?

SPEAKER_00 6:03

Right, right.

SPEAKER_02 6:04

Um, but they have software and and uh and if they're selling into army, then army's like, well, use our cloud army uh cloud uh that's based on AWS, but you know, we'll make you an enclave there and you can put your stuff there.

SPEAKER_00 6:19

Right.

SPEAKER_02 6:19

Um so that kind of leads to my number one, right? Is um depending on who you are and how you approach this process, um it it can be really difficult to break into DOW, right? Like, especially if you're one of these broadly applicable clouds, right? Maybe you're maybe you get pulled in because you're competing uh on a contract, or maybe you you maybe you have a good federal team that you've hired, federal sales team that knows how to get on the right vehicles and how to how to uh sell to to to DOW. Uh, but still you've the the barrier to entry there is pretty difficult. Um just because it's a whole different language. It's a whole different um even the what we're familiar with and how we got into it was a big difference in language and you know, learning the impact levels and learning um all that. It's a whole different uh basket of uh acronyms.

SPEAKER_00 7:16

It is a whole new basket of acronyms for sure. Yeah, yeah.

SPEAKER_02 7:19

That's kind of mine.

SPEAKER_00 7:20

Okay, all right. So, you know, for me, I've always really focused on how do we get the people past or our customers past that first step, even ourselves past that first step. And it it's very difficult to find that angle in because if you don't truly understand the market itself or how they communicate, for example, you know, if you don't have a dot mill email address, they may not even talk to you uh initially. Do they trust you to be able to do business uh within within that environment?

SPEAKER_02 7:52

So having that there's a lot of uh suspicion. Yeah, there is knocking on the door.

SPEAKER_00 7:58

And then and then and they probably should be, right? Yeah, because of the mission that they have. Absolutely, you know. So I I for me, I for me, that's the number one challenge, right? Is it's trying to find that that kind of how do I even get into this marketplace, you know? And you know, before we even talked about this, I I didn't even think that, you know, the the the challenge of well, should I go like pure army or should I go pure air force or should I go pure navy or should I do the DISA PA was even even a part of a the conversation, you know?

SPEAKER_03 8:30

Right.

SPEAKER_00 8:30

Because I was always thinking about how do I get in there, then how do I get a sponsor? Right. So that that's to me is my second challenge, right? So not only do I have to figure out how to get in, right? But it's really finding that sponsor uh with inside of Did you read my notes? I did not. Well, no, it no I guess it's mine's also sponsored. That's good. Well, because I I think if we would if we were to say this even during our previous Fed ramp conversations, you know, the number two would be I mean the number one probably in that space was was sponsored. But I think the Fed Civ market kind of is a little bit easier to understand and and the mission can can be spread out a little bit easier because the financial systems and and all that seem to be very very similar in nature. Uh so understanding that business and having that pipeline built of business and contacts and relationships, going to conferences, you know, and all that, but then have finding that person who is willing to step up and say, I will buy what you have and I will also you know sponsor your your your um platform so we can get a uh full-fledged certification and or I'm sorry, authorization in the DOD space. Like exactly ATO in the in the government, uh uh the DOD space. You know, it it's very you know, there is there's some work they have to do. You know, maybe we could talk uh briefly about that, what they have to commit to, if that's probably your number two challenge as well, you know, or yeah, sponsorship by far, it would.

SPEAKER_02 10:00

I mean, that that was debatable whether that was gonna be number one or number two. But uh and and maybe some don't have it, right? So that the that subset of customers that have a niche because they've they've been on the inside, right? They probably have more of a carve out, they've got the relationships, right? Right, they're not gonna struggle as much in this area, but typically they're gonna go direct DOD RMF and not not come through the disappear route.

SPEAKER_00 10:25

If they have like a specific thing that the Army can use and maybe the Air Force can't, or the Marines can't, or the Navy can't, uh, or Space Force can't leverage it. But you know, if you have a a system that can be leveraged across multiple um um you know the army or navy or marines, uh well that create it it creates a problem. It does.

SPEAKER_02 10:43

And I actually get to that in my fifth, but I'll talk about that a little bit now, but but um you know, it it creates the problem of like if if they go with their the niche um relationship that they have and they do DOD RMF it, well then it's kind of limited the reuse reusability of that, right?

SPEAKER_01 11:02

Yep.

SPEAKER_02 11:02

So it's like, yeah, you've deployed it for army, but can is it on the right networks for Navy to get to it or Air Force to get to it? If it's something that you want to sell broadly, right, it can really limit your ability and or you have to, you know, now uh put it in in Air Force's cloud, right, and and redo the RMF on it again. Right.

SPEAKER_00 11:22

Go through that go through the entire uh ATO process all all all over all over again. Same testing, pay people to do all that as well.

SPEAKER_02 11:31

And and then you know that just creates side effects for the the the DOW as well, right? Because now they're they're managing multiple ATOs, they don't know it, but they are correct. Um across two different components.

SPEAKER_00 11:43

So it's or three or four or whatever.

SPEAKER_02 11:46

However many times.

SPEAKER_00 11:47

That's exactly right. Yeah. You know, I I I personally think, you know, it there are um other platforms out there that could help people with this as well, but they limit you on on the kind of uh services they'll accept as well. You know, I I think that can be uh a challenge. So, you know, there are there are some some platforms out there that can help people kind of get through that process and they kind of absorb you into their ATO. And there's nothing wrong with that if you can find you know one of those platforms that'll that'll help you with that. I think there needs to be more platforms, you know, out there that can do that as well. I I know we have a platform and we have several IL fours, IL5s, and in it, but they come in and audit our entire stack every single time. So you know, finding the same stack, yeah. We're in that we're in that stage two perspective, right? The the sponsor piece, finding that person or or or component that will the mission owner that will say, okay, I see what you're trying to do here. And yes, I think this is a great idea and move forward.

SPEAKER_02 12:49

Yep. So yeah. Um, I mean that so that's that just points right back to sponsor being you know one among the biggest issues. It's still an issue for us, even though we've got customers that have great sponsors, right? And have helped uh you know pull us all along.

SPEAKER_00 13:03

So um, I I I think that for me, the my third is just understanding the process. Because it I'm let me talk about the DISA, the DISA process. And if you want to talk about some of the RF RMF process, I don't know if you want to talk talk in more detail about that. But on the on the DISA side, you actually have to go through three different audits, not three different audits, but three different processes. You know, so you have to go through your readiness assessment first. You have to prove that you're ready uh in order to be allowed to come into uh the DISA process.

SPEAKER_02 13:36

So you have to do that readiness assessment, which is really ready for a full assessment, which is really ready for a full assessment.

SPEAKER_00 13:43

And then they have to review that package to make sure that you're ready. And then you have to go through the full the full assessment, which was already done with the readiness assessment. You know, uh it's gonna be interesting to see how they handle it when the readiness assessment goes away from a FedRAM, because I believe they use the same documentation uh for that process as well. So once you get through the readiness assessment, then you have to go through the full, you know, full uh uh assessment, then you get a PATO. Um, and then you also have to go through the same process with the agency who is the mission owner of this as well. So you have to get your EMAS package submitted. So it's understanding that process. And then there's a lot of black boxes in that process as well. You know, you turn things over and you don't know if they're making it through the process.

SPEAKER_02 14:31

It seems like they've gotten somewhat took us a few times going through it before we started to understand that you know all the different players involved, the different offices that you have to work with. Right. Um, just the BCAP connection alone is is uh, you know, three different three different organizations that have to coordinate.

SPEAKER_00 14:48

And basically it's like, okay, ready?

SPEAKER_02 14:50

And you're the coordinator, by the way.

SPEAKER_00 14:52

It's like ready, set, go. And then once it's done, it's done. It's really it's pretty easy to do. The technology piece is real simple. Yep. The uh the process to actually get get through that entire process, I think is quite difficult.

SPEAKER_02 15:03

And I kept trying to find out who DOD Nick was. Right. But um not Nick Whitley. Is there a DOD Nick? Do you guys know?

SPEAKER_00 15:14

Exactly. We might have a few of those in here, you know. So so the process, you know, understanding that process, being able to get all the documentations written, making sure that you go through the pen test, you know, making sure you get your full assessment done, uh, making sure everybody uh has their I's dotted and and and T's crossed, and make sure, 100%, make sure if there's any last-minute rule changes, you incorporate them also into your current package. Uh, because we have seen that over and over again where rules come out and it's like, okay, they're due today. Yeah. You know, it's like, okay, yeah, but this is a big this is a big change. This is a big change for us. NSS requirements. NSS NSS requirements. And there was something last year um uh that happened to us last year. Effective immediately. Effective immediately.

SPEAKER_02 15:58

You're right at the end of an assessment.

SPEAKER_00 15:59

Yes, yeah, exactly. Uh so it's kind of hard to get that built in, not only from the assessor standpoint, but from from our customer standpoint as well. Yeah, so that process and know knowing that that process can change along the way, and how do you communicate that to your clients and and and customers to where they understand I can't predict that piece of it, you know?

SPEAKER_02 16:20

Um that was uh so that's really close to my third, but my third is kind of a side effect of of the process, right? And uh it's it's the um time to r ROI. You know, it's oh yeah, absolutely. Um and and it's because of everything you just mentioned, right? It's because the process is fairly protracted, right? Um, a lot of it's on the government calendar and the government watch. And there's very it's limited what you can um do to um compress that, right?

SPEAKER_00 16:51

Um and we have had a few government shutdowns over the last uh 12 to 14 months.

SPEAKER_02 16:55

Yes, we have, and there's just been a little bit of turnover and it turns out that not a lot gets done during those shutdowns. You think? Yeah, okay. Yeah, fairly impactful, fairly impactful. Um yeah, so you know uh um it I think for a lot of customers, especially the the small businesses that are really coming up with great innovations, they they just aren't able to absorb that amount of time. They don't have that much runway to wait on the dollars that come from the investment to get there, right?

SPEAKER_00 17:28

So do SIBRs and STTRs and OTAs help?

SPEAKER_02 17:32

I think they do, but they don't defray the whole cost, right? They they really you really need a few customers in the pipe that that are gonna that are you know that are gonna go off um to to make it to make it worth the cost, right? In my opinion. It's very hard to to have one customer that's gonna pay for the whole process, right? Right.

SPEAKER_00 17:54

And also at the same time, how long did it take the that process to be reauthorized this year? I mean, I think it expired on September 30th of last year, and it just within the last month, within the last 30 days, it's been reauthorized. So people who were planning on that, you know, it kind of went away for a while. And and to be honest with you, I was actually questioning. Oh, the SIBR program. The SIPA program, yeah. It was reauthorized and and and and uh in the defense package, you know, uh budgeting package. So I it took me a minute or so to really truly believe whether or not it was gonna come back or not. I didn't know I I knew that that that they might be pushing more people to OTAs um and not towards uh the SIBR, the SIBA program.

SPEAKER_02 18:35

Yeah, it was really hard to understand if it was a priority or not. Uh with the you know, the administration has been prioritizing uh focus on like PE firms and um because they could they could make pretty big investments into key areas of defense and things like that. Uh so you know, we were thinking, does that mean that they're not putting as much emphasis on sievers and stuff like that? But fortunately it looks like that's not the case.

SPEAKER_00 18:58

Yeah, yeah. Although I I I did see an article published uh this week that was saying um uh I believe it was the army that was saying that they're really looking more for the whole system, right? The whole system as opposed to the piece parts like they've done the the Sivers before, where they can you know carve out you know smaller amounts of money per customer or per per vendor who can then do some experimentation to see how it actually comes up. Because it used to be some lot the Sivers were really designed for competition as well, not just from a competition from a RFP perspective, but who can produce the the best product uh for the least amount of money at the fastest time as well. And I um based on that, I I don't know if they're gonna be thinking a bit more about the prime contractor world where you you know you hire a prime prime contractor to go do something without the experimentation. Right. I mean it's like do you really know what that something is yet?

SPEAKER_02 19:50

Right, you know, yeah, yeah, it takes some investment to get there and figure out, you know, is this even viable or or what are the different pathways to to make it happen?

SPEAKER_00 19:59

Right, right. So cool, cool. So what what do you what what is your your fourth then?

SPEAKER_02 20:05

So you're you're you want to know mine first.

SPEAKER_00 20:07

Yeah, this time they're actually a lot more aligned than than I think we thought about when we first started talking, yeah.

SPEAKER_02 20:14

They are they are uh in different ways, but yeah. Um it's it's some of it's the way we think about it too. Uh so my fourth was just managing the deployments. So, like, and this is more of kind of when you're in the throes of the assessment all the way through um to onboarding the customer and and that kind of thing. It's uh a lot of our customers are a bit shell-shocked at well, now I've got a US only enclave and I've got to manage this differently than I manage everything else because I've got developers all over the world. Um, you know, how how am I gonna uh to to manage this as a sort of a a one-off deployment with different rules, different access control, uh, and and those kinds of things. Yeah. That's that was the one that uh that I've seen customers kind of scratch their heads on. And I mean, honestly, it it it it's what gets us introduced to customers to begin with, because we can that's part of what we do, right? We've we're used to operating in these environments and what it takes to to uh do the right things to um operate them correctly and and compliantly.

SPEAKER_00 21:21

So that is my fourth as well. US person, US force US persons on US soil, you know, because like you said, that's that's one of the things that truly has brought us into this space. Yeah. Um you know, it it true you know, not having the right people to be able to do the jobs. This can be a challenge for us as well, not from understanding the skills, because we know the infrastructure. We know CI CD pipelines, we can do vulnerability management, Kanmon management. We do all this underlining, you know, support services, managed services for our the CSPs. It can be, in my opinion, a little more difficult to support some customers who have applications that. That they want us to support when they don't have run books as an example, or if they don't have the you know the right observability built into the system. So, you know, and we can do that, but we just need to have that extra extra knowledge. There's a little bit more turnover perspective that needs to happen, you know, to be able to bring us that capability to be able to do inside of their application stack. Um, we do support several customers that way, but it is a little difficult to do because they might do a patch or they might not fully explain it to us what they've done, and then we have to go back and support whatever, you know, what they've done. What we've also done is we've designed our system in a way that we can build a stack that's a little bit outside of the boundary, right? So they can have um their their um non-US citizens go into, but doesn't have access actually into the production environment. So they can actually bring things into a pre-configured solution that's very similar to what they have, and they can test whether or not you know that it'll it'll work inside of kind of work out the run books there exactly. Yep, yep.

SPEAKER_02 23:06

So um yeah, and you know, some of our customers are are of the scale where it's like we would never entertain uh handing over operations of the uh of the app, yeah. And and and that's fine. Um, you know, in those cases, we we build the enclave, we we um we we manage the security stack that we deploy and and all those things. There's even some cases where you know we've had a couple customers in that tier two category that are just too big for that.

SPEAKER_00 23:34

Right.

SPEAKER_02 23:35

Uh, and they want more control over the design and architecture up front. And in those cases, they're like, hey, can you we we like the way that you did your sim. Can you help us deploy those kinds of things? So we get a lot of um a lot of great feedback on. I mean, I can't imagine that there's any pl platform out there that's doing things at the scale that we're doing it, right? For the size customers that we're right, we're building for in a lot of these cases. Um, but yeah, we've got some great customers.

SPEAKER_00 24:05

Yeah, that's true. That is absolutely true. Um, it and it's fun, fun to work with you know, with them as well because they bring up unique challenges. I was uh you know, one of my most famous same sayings here at Infusion Points is every customer we have is exactly the same, but completely different. Totally different, totally different, completely different.

SPEAKER_02 24:23

Well, and it it uh it's also made us think about the platform uh as be as being um as open as possible, right? So you know, a big part of our design criteria was we don't want to force you into a certain deployment model, we don't want to force you into um our dev tools or our dev stack. Um, you know, bring your own because you've you've you've been uh most of our customers are big and they've they've got their pipelines already established, they've got their tooling, and we can help them in some cases we have to substitute something out. Um, but in a lot of cases we can help kind of adapt what they have and make it work right for the way that they deploy into into these DOD environments.

SPEAKER_00 25:08

Which leads me to my fifth. So let's see, let's see if we differ here. It sounds like we did because it's like you gave a little hint to your fifth. And to me, it's the hardening piece of it. It's the the the leverage and having to leverage the stigs, you know, having to follow all those additional uh general requirements that that that's you know inside the um uh the GR requirements, right? It's you know, pulling that hardening capability, you know, for the entire environment and then a hardening environment for the individual OSs and can containers. That to me is the is is a huge challenge because sometimes a stick isn't built for a specific service or a specific OS or a specific database. So it's very difficult to find the right tool to not only build and harden your environment for, but it's also the very difficult to be able to scan it and prove it over and over again in an automated fashion.

SPEAKER_03 26:04

Reliably, yeah.

SPEAKER_00 26:05

Yeah, reliably, right? So that's always a challenge, you know, a uh a customer chose choosing an operating system that there's not a stig for, or maybe it's a version of that Stig or that version of that OS that doesn't quite have a a STIG on it. So it's like, how do you prove that? And then you know how do you do that over and over again? Um, and then telling people what stigs are and what and and why are they different than anything else as well, or finding commercial tools that can leverage you know that's that STIG compliance as well.

SPEAKER_02 26:35

Yeah, I mean a big part of this is the pain we felt, I think, working with the tier twos, right? Because they've they tend to be much more complex. Um, maybe they've got you know multiple images that they're using, um and and with a lot of built-in dependencies, right? Yes, and and they realize that that the uh the number of sprints required to to totally adapt to a different OS that that is Stig hardened, right? It's just gonna take it's gonna extend that timeline even even further, and they don't they don't want to jump into that, right? Um so yeah, I mean it's you know there's a lot of different methods that we've leveraged to to move away from that. Sometimes it's bringing in like a chain guard or a rapid ford or something like that um that we've that we partner with. Um a lot of times we can kind of get them over the hump um you know, you know, using our methods, right? Using um the images that we create, or you know, helping them leverage the images that they use in a in a way that does meet the stake requirements.

SPEAKER_00 27:36

But it's always fun to explain this to our customers. To me, this is like you know, from a technical perspective, this is probably the number one challenge is making sure everything's hardened to the right level of hardening and then being able to build that in and then being able to prove that, you know, over and over again. And trying to explain that to customers sometimes can be very difficult for them to understand the level of difficulty that is in this, and what we attempt and how we attempt to remove that risk is by saying if you leverage these OSs, then it'll be a much easier way to prove this, and then you'll figure out how you can operate um in in this environment as well.

SPEAKER_02 28:10

So things like Vader is helping a little bit with it, um, you know, the the change, some of the changing standards. But um at the same time, we can't really rely on that yet for the D side, right? So um these customers that are kind of in between, um a big a big focus area for us is helping them um adapt not only to the Fed SIF side and what's going on there, but um, you know, stay have a very strong um uh posture and stance.

SPEAKER_00 28:40

How do you feel about that? I mean, on on like supporting those kind of customers, especially I think it's our sweet spot.

SPEAKER_02 28:46

It's just what we do. I mean, number one, we're we're leaning into the innovations going on on the the Fed SIV side, on the FedRAMP side. Uh we've been very uh supportive of 20x and what's uh what you know the changes that are going on, the changes in the standards to RED5, uh that that hopefully we'll see here coming up in June, right? Yep, yep. Uh we're I think we're all anticipating that one.

SPEAKER_00 29:09

Yep. I think we got a preview of that the other day, and I think Tanner was telling us that there's probably not a lot of changes than what we've already known. So we're already moving right down the right path. So I think I feel good about that.

SPEAKER_02 29:19

But um, but yeah, I mean, right right now I think I can't imagine anyone that's better situated than we are to help customers that are trying to navigate in between and trying to figure out. In fact, we picked a customer like this up that you know sees the 20x opportunity right in front of them, but also knows that they they they've got aisle four uh hanging out there as well, right? And aisle five.

SPEAKER_00 29:40

So um because they had that number one challenge, right? What's the number two, right? The number number two challenge is lack of sponsor, right?

SPEAKER_02 29:47

On the the Fed Civ side. On the Fed Civ side, right? They've got they've got probably sales opportunity on the the DOD side. Right, right. So how do they um how do they do this in a way that that uh it all works together, right? And the way that we've built our platform was around Rev5 and and uh DOD SRG to begin with, right? All the way up to high and aisle five. Um and and uh 20x is is like okay, let's flip the lens a little bit and provide a 20x view of how we're doing things in the environment, right? Um, and in the same way we could flip the lens for CMMC or you know other frameworks, absolutely as needed.

SPEAKER_00 30:26

So what's your fifth?

SPEAKER_02 30:28

So so my fifth was different, but I actually it kind of follows right along with what we just talked about. It's uh getting that second customer.

SPEAKER_00 30:38

Wow.

SPEAKER_02 30:39

Um, so so often, you know, our customers have that one mission owner, yeah, and and they they get that one mission owner, but again, you know, it's probably not enough of an ROI story within that first customer to to really make everything worth it, right? Right, right. And I I love it when our customers are really winning and um you know they're they're providing their services to to government, government's happy about it, uh, but they're also getting the ROI that they were looking for.

SPEAKER_00 31:09

Right.

SPEAKER_02 31:09

Uh and I I don't really consider our mission accomplished until like until our customers are there.

SPEAKER_00 31:14

100% agree. Yeah, yeah. Because they're if they're not successful, then then we can't be even claimed success, right? Just because we help them get them over the hurdle of the ATO, ultimately they want to sell their services and make a profit on those services in the government space. It's great to be able to sell things to the federal government because they could, you know, they can leverage your service to do a mission, right? But it's also great that we have to be able to build that eco uh echo economic system and an ecosystem that can sustain people in and their businesses so they can train people and continue to innovate and drive new new features and functions into the services. So second customer, third customer, fourth customer, you know. So you have to figure out that how is that balance you know across the board. I I I like that a lot, you know. Um that's you know that's why you gotta be focused on the business here. Because if you're not focused on the business, if you only focused on the functionality, if you only focused on the ATO, and then all of a sudden, you know, you got your ATO, then what are you doing about building your pipeline, you know, and into here. So 100%. So uh what do you think about you know? Well, thank you for the uh entertaining me on the uh the five challenges, the five challenges. I think they were pretty close, you know, where there's just slightly, slightly uh uh a different, you know. Let's talk a little bit about where do you want to see this go? I mean, we've seen Swift come out, we've seen you know, the the new CRMC come out. Um, you know, we've seen some other things come out from just trying to get the CATO come out. You know, what other things would you really like to see the DOD embrace? So would you like is it FedRap, like a FedRap 20X kind of thing, try to go to the automation, you know, world, you know, absolutely.

SPEAKER_02 33:02

I mean, I I think I think the future's automation and I think that the way that the threat surface is changing so fast in the age of AI and agentic AI, I think it's just it's gonna be table stakes if it's not already. Um, you know, for us to to to move much faster on on these things. I mean I saw the news last week that you know Mythos was the first AI lab, or I'm sorry, uh Anthropic. Um but but now um there's a second um AI lab that's has the capability to to you know link the whole kill chain together with a zero day uh very reliably now. Um so you know we're in this age of of zero days dropping and and time to exploit just plummeting uh dramatically. So like in in in that kind of environment, right, um we can't we can't be pushing paperwork. Right. Um we can't be pushing paper compliance.

SPEAKER_00 34:03

So how do we get the incentives in place though? You know, from the DOD perspective, you know, on the uh on the commercial, you know, CSPs perspective, what kind of incentives do you think we need to have in this, you know, is it contracts, is it milestones? You know, because think about the think about the industry that's already built to support this current, you know, FSMA RMF process. I mean, there's tons of customers that they pay millions of dollars a year just to maintain their ATOs, not only from a commercial, you know, cloud perspective, but also from an internal perspective as well.

SPEAKER_02 34:37

Yeah, I think I think it would be helpful for government to have an avenue for platform companies like us, right? Uh to be able to direct contract or at least get an eight at least get a sponsor to get right to get our platforms ATO'd, right? Because that that would greatly reduce the amount of work, uh of the amount of rework um that we have to do, even for you know, like our XPU 40 platform, right? That same exact platform, the same uh, and I don't mean just a copy of it. I mean that that exact platform is audited multiple times for the same controls, uh, just because it's part of different ATOs.

SPEAKER_00 35:16

And different agencies and different you know uh organizations, right?

SPEAKER_02 35:20

Yeah, or or even let us take one of those ATOs and split out uh two records, you know, and say, okay, Infusion Points has a record, and then our customers have a record, um, and then then build from there.

SPEAKER_00 35:32

Then we then we could do a lot of inheritance, right? Which which saves money on time uh uh from from an audit perspective, which ultimately the government pays for, right? So if we have to go through multiple audits on the same stuff over and over again, because every vendor chooses a different um uh 3PAO as well, right? So they can't swap and accept evidence from each other, right? So it makes it very difficult, you know, to kind of you know enforce that across the one platform, you know.

SPEAKER_02 36:02

I mean, I really think you know DISA should look at or or really DISA can't do it on their own. It's gotta be a uh that's what the incentives come in. A force-wide effort, right? It's gotta be the DOW uh who's pushing this. But um the original vision of of the DISA PA was to allow you to get in a catalog for reuse, right? And that's the big thing that opened my eyes this year going to West, talking to a lot of companies that that were in enclaves in various places, multiple RMF, you know, ATOs, a lot of rework, um, that's not even really accounted for. Um and then knowing that that DISA catalog is out there, the cloud catalog, um, just has so few of those players in it.

SPEAKER_00 36:50

It's mostly big, like if it's the big ones, the big IaaS players, right?

SPEAKER_02 36:53

Or yeah, or the big like zero trust platforms, correct, right? Like the Zscalers and those.

SPEAKER_00 36:58

Yep.

SPEAKER_02 36:59

Um it's it's a shame that that you know there's not we're not pointing more back to, hey, if we're gonna do this effort one time, let's make it at least where we can reuse it, right?

SPEAKER_00 37:10

If you think about it, you know, going going to say the old FedRant process, you know, it really the way they the way they started to try to do this, and then they were not 100% successful with it because I think they still got overwhelmed, but they had the agency um authorization and they had the jab authorization. Now, I'm not saying the jab is is a DISA authorization, but if you think about it from a context of you get your you get your one authorization, then you can leverage it for multiple places, then that's where I would see like the DISA won B or like a catalog of people that can leverage different cloud services, but the individual component can then leverage you know that that that that system for their application for their for their use, right? Yeah. Uh and then maybe they do the authorization, and then that can also then be you know taken across the board. I I don't know from a legal perspective, uh, because I haven't looked into it uh enough to understand that, but from a kind of what makes sense perspective, maybe that is a a way that they can handle that as well.

SPEAKER_02 38:08

I mean, that's really what FedRamp always was was before the legislation was passed, you know, FedRAMP existed for 10 years before before there was law?

SPEAKER_03 38:16

Before there was ever law.

SPEAKER_02 38:17

And and it was just a a workaround, quote unquote, for FISMA, right? Right. It was like, okay, let's call it a PATO. So it's not, we're not saying you're authorized. Um, but we'll have government sort of pre-review it and we'll put it in a in a repository. And if anybody wants to to look at that assessment, um, any agency can look at it and adopt it, right? Uh and grant their own ATO. It it's you know, the disappa is supposed to be that, right? But it's really, it's really only the the big, like you were saying, the the big tier twos, the big zero trust providers, uh, the Palo Alto's and you know those big companies that that have broken into that. Um, and you know, all the smaller niche players are just left to to deploy wherever they're asked to, you know, and then that can't be reused. There's all that rework going on.

SPEAKER_00 39:10

Um it's being paid by the taxpayers every single time, right?

SPEAKER_02 39:13

You know, so you know, and then there, you know, there's the there's there's a few players out there that that have developed a market out of this, right? Um, but should it just be a couple players that are that are getting that that market or should it be?

SPEAKER_00 39:28

It's also limited too, right? It limits can containerized type systems, you know, if you have a three-tier system, if you have a different uh serverless system, you know, they they may not they may not be for you, right? So um all right, so if you if you were in the prediction market, you know, would you want to try to make any predictions on on how that kind of plays out with kind of some of the modernization that's going on in the Department of Defense? Uh if you were a betting man prediction market, you know, kind of thing.

SPEAKER_02 39:58

Well, you know, I I'm I'm a clinician, right? Like I look I like to look at what's actually going on, how things have happened in the past, and make judgments based on that, right? I'm caught I'm I'm optimistic. I mean, I there you go. I know there was uh there there was Swift and and some some tea leaves that we saw, right? And then we've seen that sort of there's not a lot of momentum yet around it, you know. But uh I am hopeful that once things get worked out more with 20x, um dod will kind of have a 20x plus kind of like what they did with FedRamp. Right, right. Where it's gonna um require some extra things to do business in in the DOD, DOW. Um, but it's it's uh at least gonna be sort of the same, at least the same framework, um instead of like a totally different framework. Right. Which I mean what what uh you know FedRamp has done with 20x is like a complete top to bottom reimagining, yeah. You know, and and uh in a lot of ways it was it was needed, you know, uh you know, desperately needed, uh, just because the the FedRAMP process and I mean uh everyone talked about it just in hushed tones, and we've been less hushed about it, right? Um about it just being broken, right? You know, um fundamentally not working, um, and certainly not approachable for a lot of the market that wanted to sell into federal. So you know, I think I think we're at the dawn of a new age of seeing uh seeing some promise and and hope that that's gonna be lifted on the Fed Civ side. Um there's gonna be more opportunity to sell into federal. Um I know, I know that um, you know, based on the just the uh velocity of things going on on the DOW side, um, you know, with the war going on and and um just just um the focus of the administration on uh DOW, right? Inefficiencies and well that that and just the the threat, the global threats and what's going on with drones, and I mean you name it right now, there the the need and the demand for innovative um software and and you know integrated with with uh warfare systems and all is is higher than ever. Right, right. So I don't think so.

SPEAKER_00 42:19

The needs it's needs there.

SPEAKER_02 42:20

The needs there.

SPEAKER_00 42:21

It's not gone away. You know, so what the what we really need is some some some still some modernization and and uh efficiencies and and maybe some more transparency, uh open, open it up and be able to look inside a little bit more, be able to predict.

SPEAKER_02 42:36

Transparency, I think, would help a lot. Yeah.

SPEAKER_00 42:38

And businesses, you know, predictability is an important thing, you know. So being able to predict when you can have a uh software ready to sell to your customers and not like all of a sudden, guess what? You got your ATO. Oh God, I haven't I I sold six months ago, but I haven't sold again. And then there's the whole life cycle of procurement.

SPEAKER_02 42:58

I've been having to keep this thing alive, right?

SPEAKER_00 43:00

Exactly. There's the whole life cycle of acquisition that they got to keep up with as well. But yet it's like this you can't get too far because you know of the ATO. That ATO is slowing them down. And you know, there's there's got to be some ways to to pick up the speed there to make it a little bit more predictable, especially when you have companies, you know, not to brag on us a little bit, but I think we do a pretty good job in this space. You know, it's it's it's uh our customers. Way better than average. Well, probably way better than average. You know, you go through the marketplace. There's quite a few of the ones, you know, that that use our services uh to make it through. You know, it really a lot of it is just having that ability to be predictable, right? So that's what I would like to see is to be a lot more transparent and to be a be able to be more predictable. So we can go to our customer and say, it's gonna take you six months with our process to go through this. And we know that it's gonna take six months.

SPEAKER_03 43:52

Yep.

SPEAKER_00 43:53

Yeah. I would love to say 90 days, right? I would love to say 30 days. Yeah, but if we could even get it to six months and be able to know that it's to make it all the way through that process. Yeah.

SPEAKER_01 44:02

Yeah.

SPEAKER_00 44:02

I think that would be very helpful. And that's not just on the DISA side. It's also once it hits, you know, the uh the the the end the in the mission owner side, right? Getting it into them to the EMAS, you know, getting in and all the things that we need to be doing over there on the on that side as well. So and then making sure that we can follow up with Kanman. But if we could get that down to some predictable timelines, that would be very helpful for business. Because I think that's what really what business needs is that that that predictability piece. And I think you know um if you have a platform already um and it it it you know and and you can get brought into their ATO right that can give you some predictability but I think there's a lot of risk also in doing that for their ATOs and then also for everybody else in those platforms as well. So well Jason this has been a fabulous conversation.

SPEAKER_02 44:53

And we're going to be talking more and more about DevTech. And in fact we're going to be out out at quite a bit quite a few events. Right yeah you want to talk about a few of them I mean go I mean basically every FC pretty pretty much pretty much every FC I think we have we have a sponsor yeah we're gonna be a technect we're gonna be in a Augusta and then uh we're not we're not actually doing a a presentation at uh or not don't have a uh booth at um uh so f uh but we'll soft week yeah yeah so we'll we'll we'll be there as well yep and then there's a few others I think we're attending as well several Alamo Ace I think we're looking at Pradacity Rise or Pradacity thank you very much we'll be at Pradacity as well come come August as well so it's gonna be a public sector summit yep and party with us yeah DCP Tuesday night right that's it that's it yeah Tuesday night at the Marriott we're gonna um open up the uh what's the name of that room oh of course you would ask me right now uh Anthem Anthem Anthem Anthem yeah behind the main bar yeah it's where everyone goes after the all the happy hours we're having our extended happy hours this is an after after hours uh after a happy hour happy hour yep 8 p.m to 12 a.m food and drinks join us that's it it's been great thank you very much i know you're not i know you're not feeling great today sniffly and yeah appreciate you appreciate you yeah appreciate you coming in and and uh uh uh doing it up uh because uh i was just gonna do a my five challenges and i think it works so much better yeah with with both of us doing them together so i appreciate your time and uh yeah what do you say at the end i don't know i don't know the ending carry's giving the ending well man i have not so you uh uh thank you for attending uh uh a uh another episode of behind the shield as always you may not find Caitlin's over here laughing at me because I get this wrong every time you may not find just me behind uh the shield maybe it's somebody else from Infusion Points uh driving the show so thank you guys for your time I appreciate the conversation cheers thanks all