FedRAMP 20x, GRC Engineering, and the Future of Compliance Automation with Eric Beasley

Show Notes

What happens when compliance, engineering, cloud operations, and auditing all converge?

In this episode of Behind the Shield, Gary Daemer sits down with Eric Beasley, Director of Compliance and Engineering at Earthling Security, for an in-depth conversation on the evolution of FedRAMP, the emergence of GRC engineering, and why automation is becoming a foundational requirement for modern compliance programs.

Drawing from nearly a decade of experience across FedRAMP, FISMA, auditing, engineering, and cloud operations, Eric shares practical lessons learned from helping Cloud Service Providers navigate authorization challenges while balancing security, compliance, and operational efficiency.

The discussion explores how the FedRAMP ecosystem has evolved from manual evidence collection and screenshots to automation-driven approaches enabled by cloud-native services, particularly within AWS environments. Gary and Eric also dive into continuous monitoring, compliance telemetry, AI's role in security operations, and what the future may hold for FedRAMP 20x, cloud service providers, and government cybersecurity programs.

What You'll Learn

• Why manual screenshots became the standard in traditional FedRAMP assessments
• How FedRAMP 20x is changing the way compliance evidence is collected and validated
• What GRC engineering actually means and why it is becoming a critical discipline
• How AWS-native services enable scalable compliance automation
• The difference between collecting compliance data and proving security controls are actually working
• Why continuous monitoring requires more than simply verifying that tools are running
• The challenges of extending FedRAMP 20x concepts beyond SaaS into PaaS and IaaS environments
• Where AI can help compliance teams—and where it can create new risks
• Why the next generation of cybersecurity professionals still needs strong engineering fundamentals
• How automation, cloud architecture, and security operations are converging to shape the future of compliance

This episode is packed with real-world stories, practical insights, and honest opinions from two industry veterans who have spent years building, assessing, securing, and operating cloud environments in some of the most highly regulated sectors.

Chapters:
0:10 - Introduction
0:35 - Eric's Background
1:32 - GRC Engineering and Automation
4:57 - Challenges and Efficiency
7:15 - Auditing and Compliance Themes
13:50 - Cloud Services and FedRAMP
22:09 - Data Center Transformation
32:16 - Future of Compliance and AI
48:49 - Training and Skills for the Future
54:14 - Personal Insights and Closing

Guest Links:
Linkedin: https://www.linkedin.com/in/ericbeasley33w/
https://www.linkedin.com/company/earthling-security/
https://earthlingsecurity.com/

Learn more about InfusionPoints:
https://www.linkedin.com/company/infusionpoints/
Gary Daemer: https://www.linkedin.com/in/infusionpoints/
Request a Demo: https://xbu40.com/

InfusionPoints & AWS:
InfusionPoints is proud to be an Amazon Web Services Premier Tier Services Partner, supporting organizations in building, managing, and defending secure cloud environments.

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.

Transcript

0:10

Welcome to another episode of the Behind the Shield Podcast. Uh today we have a great guest, uh Eric Beasley, and um he's gonna just uh real quickly describe who you are, what you're about today, and why you think you're on the podcast today. Yeah, um so I'm I'm Eric. Uh I work at Earthling Security. I'm the director of compliance and engineering. Um so Earthling is at uh 3PAO, and we provide managed services for uh um company, CSPs that are seeking like FedRamp authorization. Um I uh I have kind of two hats at the moment. I'm running both compliance and engineering. Um so a lot of that that's kind of the the crossover between the uh you know your security controlled and the automation related to it. Um so yeah, I've been doing FedRAMP for about eight years or so at this point. Um before that I did FISMA. Um before that I was a sysadmin. Um and here I am. And I think I'm here because Gary wanted somebody entertaining on the on a show. There you go. I want to I want to be able to have somebody who can laugh at my bad jokes, is what I really look for. So I'm already kidding. It sounds to me, you know, be doing compliance and engineering sounds to me like you're in the right space uh with this whole new GRC engineering perspective, uh you know, really integrating automations uh into the compliance efforts. I personally, I'm a systems engineer, and I think of it really GRC uh engineering as a part of systems engineering. If you design your overall system properly, you integrate all these uh nice fine components into your uh compliance solution as well. I I personally, this is my personal opinion. I'd love to get your opinion on it. I think most of the reason why people haven't integrated or automated this stuff here up to this point is because it really wasn't a requirement until really like now, because everything was manual and screen captures. I know a lot of people are kind of giving some people um kind of uh bad news or bad press over that, but that's just what what the requirements were, and not only from a um uh kind of requirements from the auditors, but that's what they were required to do based off of their accrediting bodies. So, you know, we really moved from that space now into more automation, but in a lot of cases, and this is where you is is people are now going to more of the automation and the accreditors are allowing and the auditors are allowing you to deliver that automated solution. So I'd I'd love to get a just a feel for how you feel about that and and and what you've seen. Well, so you bring up probably the most important part of this discussion, Gary, is that what was the PMO like two years ago? Oh, right. Like everybody forgets that. Like we we we have to keep put this in context. When we talk about like automation, GRC engineering, okay. I couldn't imagine going to the PMO six years ago and being like, here's a snippet of code from GitHub. This is how I'm fulfilling file integrity monitoring. Okay. The reviewers from six years ago would have lost it on you. And you would have had nasty grams. I mean, assuming they ever got to that after their hour and a half boundary diagram review, the complaining about how big your pictures are, and why does this say FIPS instead of FIPS 140-2? Um, you know, that that nonsense. Like, like the entire FedRAMP program has shifted in the last two years to the point where now automation is acceptable and where it's in in fact it's being encouraged and incentivized um through the 20x program. And so, like, when we have these conversations, we have to start with we took screenshots and read SSPs and manly reviewed stuff because that was what the requirement was. Correct. That doesn't mean that it was the right or wrong answer. Listen, I've spent plenty of time working in the federal government and like I could tell you about five million dollar broom closets because that's because that's what the requirement was was to have a closet right outside to hold your brooms. Yes, I brooms and mops, and I made profuse use of them, right? And so, you know, we have to keep that in mind. I think that, you know, so when we're when we're talking about automation, what we're we're we really just need to remember is that the PMO had different rules, and now the PMO has decided to like A, actually be somebody who you know who they are. I mean, look, I didn't know who the PMO was until Waterman took over like what two years ago. I'd uh you if you asked me what that person's name was, I could not tell you. I could not I couldn't tell you what they looked like, I couldn't tell you if they had cool glasses or not. Nothing. I can tell you all of that about the current PMO. And so which memes I like, which ones they didn't like, kind of thing. Yeah, even as number two talks about how great the memes are when you work at FedRap because we all me and Pramify like to make fun of them. Right. So, you know, we uh like this entire environment has like really changed. And I think that um I think that's I think that people are pushing on this like GRC engineering thing. I think that it's it's the right direction, but I think that people are diving way too hard into this, and I think that they are overcomplicating a lot of like simple solutions. And I know that's that's probably like the uh I'm like the only person who believes this, I think, sometimes. Um I see I look at it from because I look at I'm a sysadmin, so of course everything is solved with a bash script, right? Absolutely, right? If you're carpenter, you solve everything with a hammer, I'm gonna solve it with bash, okay? Um I like automation, I like things that are like moving forward. I I like having less work to do, just like every sysadmin does, right? Um we're not lazy, we're just trying to find better ways to do things more efficiently, right? Yes, we're just efficient. We I just want to be like I always you know, I always make the jokes like I want to spend more time with my chickens than I do um, you know, reviewing SSPs. Like really what it comes down to, right? But I look at okay I want the automation to be something that is like worth my time. There is a level of like, how much time does it take me and my engineers in order to implement this like automation? And then how much time does that save me over the course of a year? Right. How like how reusable is that, right? Because you know, I'm a big I I I I know that y'all are an MSSP too. I'm sure y'all love it when like one of your clients says, Hey, can you do a thing for me and then repeat that across all of your clients? Correct. Right? Yep. That's that that's the efficient thing. Right, exactly. And and that's the efficiency that people get with going with an MSP. So they don't have one person doing a task one time and having to be paid full time to do that. I get paid by a bunch of people to do something once and then repeat across environments. And then and then leverage it all the way across. You know, one of the things, you know, that really uh so we we manage, I don't know, 20, 25 different systems uh in the FedRAMP space. And you know, so it means we would go through audits just like our customers were, right? So we would go that through that many audits every single year, and we're still doing that, right? Um you know, one of the areas that used to frustrate me is when they would ask you to go into your active directory, right? And go into the little little area to uh uh pull down the the different configurations. So when one area they would say, show me this. And so you'd go in and you would show them that, and then you would say, Show me this, and then you could show them that, but it's in a different part of the interview because it's a different part of the uh uh control. Right. So I you know, I was like, so how about how about I I just run this script that we wrote that we use to make sure that we're compliant, right? Um, and and then we can spit out all that into one, you know, one big table that will show you all that is is actually being pulled from that system, and then it's also, you know, you'll save time to not have to ask the same different questions around the active directory. Um and I showed I showed the auditors that they're like, nah, we we just can't do that. We have to get screenshots of the individual uh places inside of the GPOs so that when uh the IG reviews it, they'll know what they're looking at because they don't understand this this um this table XML output. XML output or whatever, right? So we were actually doing it with just table output, like a regular standard uh table, uh ASCII table, right? So but but they still couldn't, they still couldn't get their head wrapped around it. But it well, here again, it wasn't their fault because that's what the expectations of their accreditor was, and that was what their expectations of uh the person reviewing the packages uh were as well. You know, so um you know automation is key, and it's the only way we can scale um all you know to be able to scale across that many different solutions. So Gary, I'm gonna talk there, there's two problems in in this whole scenario, okay? And so the first problem is you were probably you're probably talking about an auditor doing AC and IA, right? Okay. Any auditor S C as well. S C as well, by what you've got the encryption, right? Yeah. Well, and and see any auditor that is worth their salt knows enough about these controls that you're supposed to be auditing, they should be able to say, okay, I'm gonna, we're gonna go into Active Directory. And here's everything that I need out of Active Directory. Like, you know, one thing, you know, GRC engineers like making fun of people that have memorized security controls, but guess what? When you have memorized them, I know, hey, you're showing me Active Directory. I know all of the controls that I need to get information out of your Active Directory for. So I go there one time, I capture everything that I need, and then we're done. You know, you so there's a there's an audit management issue here too. Like the audit, a lot of the three PAOs, like I have very, very mixed results with them, right? And sometimes you get teams that are experienced and they know what they're doing. Um, sometimes you don't. And it's a very like mixed bag, you know, with all of my clients, it's a very mixed bag of which like who shows up that year in in a lot of ways, right? And so I think the first problem is it's just having the auditors that know, you know, AC and IA go together. That's the same interview because it's the same information sources, you know. Like when they when they when they wrote um NIST 853, it was never designed to be control by control, right? It was really we we we have these things we call themes that that we don't. It's sort of the same way I think I I think I was hearing you say, so Active Directory covers these controls. And so when I go to engineer this, I want to make sure it covers these controls. So let me let me talk to you about my themes, and then I can show you how we're meeting um the spirit of those of all those individual controls. Yeah, like look, if you're gonna have to copy paste, we use Okta 97 times into your SSP. Exactly. But you only have to show it to your auditor once, right? Right, right. But that's not how that's not ultimately how it ended up. And that I think that's where, to me, the beauty of of where the 20x is going, right? And the 20x is really taking it down to that level to where you can pull that bits of information out and then you know, do you soft a red, uh, uh yellow, uh green uh perspective. Hopefully they're all green. But if they're not, then you know, every now and then you're gonna get a red or a yellow in there, right? Um but if you do it over time, then that that's okay as well, right? Yeah. And see, and I look, I I like the scripts. I like pulling the information out automatically. Me as an auditor, I still want to see that like you're actually running this on production. Like, look, I I you know, I I've I've been an auditor and a CS. I I work on both sides regularly, right? I have seen environments where, for example, they like they won't do like web application scanning in their production environment. Okay. So me as an auditor, I'm not just gonna take like a trust me bro, like these environments are identical. I need to, I need to be able to see that. And I like having this, like if you can, if you can put a hash value on it, then that's great. I'd rather see a SHA one, but guess what? Not everybody seems to be able to do that for me, right? So Yeah, that that that can get a little hard. But I tell you, the you know, um, you know, not testing in your production environment to me is okay if you have a pipeline that leads into your into your production environment that pretty much is identical to what you're you're testing on. So you have to kind of prove that piece as well. So you need to do some testing on on the pipeline as well. Exactly. And see, and and that's like, how do I how do I test the pipeline between essentially like like uh because most Federal M CSPs, they have their commercial cloud and then that pipes into their government cloud, right? And so I how exactly do I test in some sort of automagical for method? Like one clay, this could be any cloud going into another cloud, which then goes into a production environment. Like, how do I like how do I hook a script in to cover all three of those things? Like sometimes I just need to see it like manually too. Um, I I I wanna I want to minimize what I have to review manually. I don't want to have to sit here and take 19 screenshots of all your S3 buckets to see they're encrypted, right? Right. There's there's there's there's there's a perfect example of where automation is is king, right? Um and and and so you know, um I I don't know which which cloud services that you guys are that you guys leverage, but we we mostly leverage uh AWS. And the beauty with AWS is they have these great tools inside of AWS. So you can quickly set up your your minimum uh assessment scope, right? Or you know the overall boundary scope as well with in the red five side. Yeah, so it's very easy to say it covers these accounts, and this is what's inside of each in the in each of those accounts, these services, these lambdas, these these containers, it these EC2s, so forth and so on, right? Um so it's very easy to do that. So you can start to categorize them in that way. So that way you know you're covering your scope. And that way you're also knowing you know that you're covering all of the S3 buckets or all the EC2s that are in there, you're not hiding anything uh as well. Look, tagging is great for that. That's what I we we we set that up. It's great. Um, we interface that with Qualist, that's kind of our preferred uh volume scanner. And so I I I love the tagging for that, especially because it gives me visibility into every one of my client VPCs. Um now I have mostly AWS, I have like a couple of outliers that are in Azure. Um, but luckily I have like a really good Azure engineer. So um Azure was a big pain point for a long time. But once we got like once we got somebody that really knew what they were doing, um Azure became just as easy as AWS. Like it's it's this old, you know, when people come to me and they're like, I get this all the time. Where should we put our our SaaS? Should we put it in Azure or AWS or GCT? And I tell them, whichever one your engineers know the best. That's a fact. That's that's kind of what we say as well. We just happen to know AWS the best. As a matter of fact, a lot of our larger customers, um most of their backplanes that we build are in uh AWS, but then their workloads sometimes are in Azure or they're in GCP. Um and we now have one that's in actually in Oracle as well. And uh so the the major um the major backplane, even the maybe the major part of their application is in AWS, but that means they still have workloads in all these different clouds. So our our we have connections to all of them now. Well that's the nice thing about you know FedRamp, like audit once, like reused many times. So if you if if Oracle Cloud does something better than AWS, like guess what? Make your account, hook it in, everybody's happy. Right. Mm-hmm. Yeah, absolutely. I I think it I that's where the uh IaaS providers I think are really doing it right. And I you know, I often talk about you know, it's much easier to do this whole 20x thing in a cloud native world because it's very easy to get um uh the metadata that you need uh in in the um uh to be able to check uh because it's already it's automatically being produced uh throughout the entire environment. So it's it's it's very fairly simple to write the code, to pull the right thing uh out so you can uh then check the whether or not it's meets the criteria of being acceptable. I mean it quite frankly, it's the only way to do with 20x. That's to me, that's why 20x is never gonna hit the IAS or the pass level. It can't. Right. It's gonna be hard. Like the the whole point of 20x is to use cloud native architecture and cloud native features. And when you are the cloud, like not you can't eat your own dog food for everything. So that's it's gonna be tough. I I wouldn't like to see how we how uh how the the Fedbrand PMO handles, you know, some of these folks who provide uh um different types of of IaaS uh capabilities as well. Because there's several companies out there. We actually support a couple of them as well that don't are not they're not on um one of the major cloud providers. They have their own solution that they have, and then they bring in uh applications into their environment. So I'm gonna I'm gonna I'm watching with uh you know BDIs and this figure out what how what and how he's gonna uh attempt to do that uh with those folks. But before the end of the day, if we if we really wanted to, right? We have our we have our logging, you have your scans, you have your alerts, you have all of that's just built into the cloud, and that's what 20x wants us to use. Right. Um the big unsolved question that I I have been sitting on for a long time is what happens if is 20x gonna break out of that SaaS world, or is that gonna remain like it or is it gonna just stay there? Like, right? How are you going to modernize Rev5 for physical security? Because none of the KSI's address fit the physical layer at all. And I don't think that there's a government appetite for hosting workloads in any old data center. Like I just I just don't see that happening in in all of my years of sysadmining of of I can't like having to map out data centers in basement mazes and walk around at 3 a.m. God knows how many times. Been there, done that. Yeah, I listen and then of course you're mapping something, you're not supposed to have a map, so you end up basically just counting steps. Like, I mean, it's wild, right? Wild world that we live in sometimes. But um, I just don't see how like like how are you gonna do a KSI on like you know, your HVAC controls? Like, how are you gonna build that in scope? Every every Federal data center walkthrough that I've been through, it's like it's you know, it's an Equinix data center that's essentially providing FSMA high controls, right? And then there's a cage, and that cage is the physical boundary for where the data center is being hosted. Right, right. How do you So maybe he comes up with some um IS-specific controls? I I don't know because I mean nowadays most of this stuff can be reported digitally anyway, right? Plug in IP, IoT, right? IoT is everywhere now. So you can you could you could pull a lot of this information with IoT, but that doesn't necessarily mean that's the only way to do it. And and so there's gonna have to be some considerations on how they can automate this stuff in a way that then makes sense to um the average person downloading the information to I'm gonna play devil's advocate on that one though, Gary. My my concern there is what you'd you'd be introducing a whole new lay hardware layer of vulnerabilities, which can be very catastrophic. Like it like this is where that whole like value add conversation comes in. Like, what's the value of monitoring the humidity of my racks automatically versus the risk of that like thermostat being compromised as part of some other like greater like you know, like malware campaign, SCADA device like compromise? So at what point does the benefits of knowing the humidity out like outweigh the security risks from that physical device? Uh I'm not an IoT expert, and by no means uh will I ever agree, uh will I ever say that I'm a physical security expert, but I will say there are a lot of people remote monitoring um uh data centers today, right? Oh yeah. Maybe it's different maybe it's a different methodology, maybe it's uh you know just a different uh viewpoint, maybe it's not actually collected on the same platform. There's another way to actually go about doing that. Maybe it's a whole separate thing by itself. So I I I don't have any real answers there other than I think it's possible. Um now um it it can be done. It's it's just it's it's again, it's that like weighing, you know, because what I always go back to, Gary, is like the think about the original like big malware campaign, you know, Stuxnet. Stuxnet was the big one. That's what put like that's what put cyberspace on the geopolitical map. And we destroyed physical devices with thumb drives dropped in a parking lot, right? Right off network. And you know, we destroyed them nine months after the payload was delivered. Here again, I I don't really have an answer to that. Um and I because it's not my specialty area. Guess what? I I I uh uh downloaded all that data from my data center days to where I don't have to think about it anymore because I outsource all that and I just trust that they're doing the right thing and I watch their certifications and and that's that's where my mind stays, unfortunately. And I'm not sure if I can actually get my head back wrapped around that because I'm so used to pushing these buttons nowadays that it makes makes my life easier, if it makes sense, what I'm trying to say. Gary, I I I you know, look, I still play like Star Fox sixty four every once in a while, you know, and like Mario like, you know, I I I I like knowing your roots, and so that's I always try to keep my uh my my my data center knowledge there and like you know, my sysadmin days like right up front. It's uh you know I get I think I I think I dropped that once I started um wearing shorts every day uh to work. Right. So the so which is people wear pants anymore? I I I mean Okay, good. You're a Schwarz guy too, right? I spent all morning like working outside. So I'm not no, like I assure you, there was no no pants are involved in this. So we have um so we have uh a 7,500 square foot building here in western North Carolina. This is where we run our cybersecurity center out of. Um, this is where our security operations center runs from. This is where most of our engineers work out of, and many of our cloud operations people too. When we first built this, I had a, I want to say 18 rack data center in my uh in the back part of the building. And um I had this huge air conditioner about the size of an entire wall when they would ever come on the lights with dim in the in the county, right? But uh um, you know, over the last five or six years, um, and I think it was last year, matter of fact, I think we probably did a little small meme on it. When do you know your data data center transformation is complete when the guys who run the stock, which is actually attached to the data center, are asking where the heat buttons are, heating butt heat button is as opposed to can you turn the air conditioner up some more? And fortunately, my secondary uh air conditioner was a heat pump, so it had heating on the other side of it. So the the the coldest days in the in the winter, the the two the two systems that I think I have remaining, actually I've I've I made a mandate now where I I think there is one left with one VM on it that controls certain parts of our building that I can't quite get into the cloud yet, but it still spits out 3,500 watts of uh of power every day. Um so we did have an air conditioner go out this summer or this this this spring, and it was already 70 degrees outside, but yet my my uh uh computer area was getting up to about 85 or 90 degrees just with one server. So with all those servers gone, you know, that uh enabled us to downgrade our air conditioner, downgrade our whole uh uh data center to now, like I said, it's like one working server in there as well, one working piece of hardware. And everything else is uh everything else is virtual. So when I say I downloaded that stuff, I meant it. I mean, I kicked it out the door. Matter of fact, I took the racks and gave them to give them to like the local community college or something. Uh because it even the hardware too. So No, that's great. Honestly, it's great. Like the community, um one of all the community colleges, because I'm I'm in Maryland, I'm in Frederick County. Um, and all of our community colleges, they have like full-on like like uh $500,000 racks to do like their like for their computer science and like cybersecurity services. Um big, big fan of like those programs. I'm uh, you know, like I've I've I've talked to a couple of professors on occasion about like how to like develop that out and make and basically teach people like more like relevant cybersecurity like skills versus kind of what they're teaching academically. So that's the right spot to do it. Um the only sad thing is you don't get your 100% uh efficiency in the winter because every po all the waste heat makes the building warmer, so you get like that's the only time that a computer's ever a hundred percent. Yes, it is turned on during the winter time. That's the sad part. It is you know, we I have to I have to heat my space with propane, so um because yeah, but I get it, get it. Um, I I I I'm always uh um I like well one thing right now, Earthlings actually we are working with a uh uh a new i IAS provider um that's trying to break into the Federal market. So I've had it all in the mind recently because I'm trying to like, you know, essentially we're involved in like go to market efforts with them. And it's like you know, remembering like, all right, like wait, which switch has 64 ports? Like, and you know, I'm like I'm like remembering all of my subnetting and like um you know, just making sure that it's all built. And I'm like, okay, like can I put this these wires together or should I pay somebody else to do it? I mean, you just can't say um Terraform create me a subnet that has this IP range and it doesn't create it for you. I always used to like to tell I used to like tell this story. So uh Jason Shropshire, who's our COO, him and I met at Lowe's. I was uh the IT security architect, and he was uh mainly focused on delivering identity management stuff. Okay. And um one of the biggest um um projects that we worked on was help implement a large portal for all of the uh the users at at Lowe's, because they really only had corporate accounts, which was uh 10,000 people or so. And they didn't have accounts for all of their seasonal employees or anything like that. And um, so that's two quarter million people that they would go up and down, down, left, left and right with that with those services. Well, one of the things that we that we built was uh this large portal, which which was um active, active, active, active, whole bunch of load balancers, whole bunch of you know hardware components. And it took us about three months or so to get all that hardware components put into place before we can actually put our software in to start being able to use it uh inside the system because we had to have all that load balancing up front. Nowadays it's basically give me an ALB and this is where my destination port is. And oh yeah, by the way, I want to cert and also want to do my DNS at the same time, you know, and the code's like this long compared to how long it used to take us to purchase it, you know, get it, get it in place, and then and then figure out how to manage you know that hardware uh as well. So, you know, the whole cloud perspective to me in you know uh using somebody else's hardware is is as high on my list nowadays. Oh, look, 100%. I trust me, I I have built routers, I've built, you know, I've built Cisco routers, I've managed uh um you know multiple networks of God knows, like like old operating systems, new operating systems. Um I like I I like the ease and simplicity of the cloud, but I also always remember in the back of my head that fundamentally that cloud is still just that exact same data center that I used to work in. Like somebody has to manage it. Somebody agrees, like I can't tell Claude, like replace this hard drive and then it sends out a little like mini robot. It's not the beginning scene of hackers where you have little robot arms fighting over which show to play on this TV station. Um we're not there yet. Hopefully, we'll never be there. Um, so we have to like like that. You know, I I uh with my team, um, I have uh I have like three juniors right on my team. I have I have a another senior person on the team, it's got about the same experience as me. Then I have three juniors. Um one of them was an intern that we brought on, and the other two were like one was a new hire, one was a transfer from inside the company. And I try to make sure that I teach them all of these sorts of things, like these like the the let's call them secure like IT fundamentals, like this is a data center, these are switches, these are routers. Um like I I I told them like I want you all to start with like getting Cloud Plus, and then after that, I want you to go get like Net Plus so that you understand like how does the internet work. I tell you, that's uh uh from an education standpoint. I mean, that's kind of what we do here as well. You know, we really we work with the local community college, and then we also work with the um um several of the universities in the in the region to bring on interns. And then I set I set on the board um for the um computer information uh science uh uh program up at uh Appalachian State, and then Jason sets on the board here at the local community college. That's about where we get most of our security operations center analysts from, is from the community college. Then we intern them for about three to six months. And if they work out, they work out. We hire them, we bring on full-time, and we put them on third shift weekends initially. And then the uh the uh the folks that we are who are advisors or are um engineers, we either get them through computer science or the CIS programs out of the local uh universities here. We have quite a few of them. That's one of the beauties about being here in North Carolina is the education system from for higher education is is is very, very good. Yeah, because you're out in that like that tech triangle. Like I sort of like half the like Oh no, we're we're in the we're in the nowhere man's land. We're in the mountains. Oh we're in the North Carolina. So I'm not in the Raleigh area or anything like that that we're in. Oh, so you're at Dollywood. That's a good thing. Um to be honest with you, we're kind of close to Dollywood. You know, we that's a lot of folks go there. We're we're just north of Asheville. We're near Boone, North Carolina. Uh that's where Appalachia State is. We're actually in Wilkes County, which is um you know, kind of in the middle of nowhere. Which is really it was just actually really cool, Gary, because if you think about it, like most like like especially most pe CSPs and especially people in the Federamp space are not that like localized. Like you've been able to take like here here's my little corner of you know, like uh of of the Appalachian Mountains and like build out a Federamp program with it. Um versus you know, when you think about it, like I mean, when I you know, like in all of my time as a as a as an auditor working for three PAOs, um we go live everywhere. Um it's it's amazing because it what I always like to say is have laptop will travel, right? Because if we can get internet connection, we can get what we need to get to. Um and I and I'm sure you're the exact same way whether you're doing auditing or whether you're doing the engineering side or you're doing the actual cloud operations side. So let me let me shift this cut yeah to topic, if you don't mind, over to cloud operations in this in this new space. I mean, how do you feel about the continuous operations and continuous monitoring, continuous management, continuous auditing, you know, in this new kind of regime space? Let's just keep ourselves focused on the newer space as opposed to where we currently are, if that's okay with you. No, of course, of course. Um so I I like it. I I have I have a lot of notes about it though, that I'll that I'll say. So one thing that drives me nuts personally is especially when I'm auditing somebody. Um because this is based on a true story, obviously. It's always based on a true story. Um I had a uh I had a client that had a web application scanner set up on like you know a monthly monthly scan, just like you normally would when you're doing your poams, your Kanban, right? The problem was is that the scanner was by all accounts running. It was updating the scan date, but it wasn't actually scanning the web app. So all the automation was in place, but there was never like like the scanner didn't send an affirmative message saying scan complete and validate that it actually ran the right way, right? So one thing that I I I I I will I will stress No findings, no findings again this month. We're doing great. And see, and and that's the problem. Like you you assume you just make that assumption. Because of course, like you're gonna take out your info findings, you know, like like the the nonsense ones, right? You're you you you filter all those out, right? I'm I'm interested in real findings. Tell me I got an SQL ejection, tell me where it is, and I'll fix it. Okay. Um and so one thing that I I always look for whenever I'm watching somebody's fancy tool or like they have a video on like LinkedIn, they're talking about it. I'm not just looking for telemetry about a failed scan, a failed check. I'm looking at telemetry for a good check. Right? Just like think about like an HTTP request, right? If it's bad, I get a 404 error. If it's good, I get a 200 response, but I don't see the 200 response. And one thing I've been hammering with my engineers is if we make an automated script, I want it to report a value back that we can track, saying I ran this check, value is good. So, like you know, if it's a good return one, if it's bad, return value two. That's kind of how we're designing everything. That's one of my concerns with a lot of the automation, a lot of the telemetry is again from an auditor perspective, I need to see that it's actually running. And so I need that affirm, I need that HTTP 200 response in your tools. Okay. Um, otherwise, how do I exactly trust the results? What if something got stuck on a loop? We know sometimes scripts don't run properly. Maybe, maybe cron tab got screwed up. Like, who knows, right? There's they're not per they're not perfect. Is that what you're saying? Yeah, I mean, God forbid, like something doesn't work, like literally it not being perfect is why we have jobs, Gary. So exactly. No, that's yeah, exactly. You mean that script's not gonna run perfectly every single time it runs. Uh that's exactly what I thought it did. So no, and and it does for the most part it does. And that's you build in your checks. We build in, and that's where I think that that that's where this kind of goes into the like I I want to automate what makes sense to automate, but I also want a human in the loop. Yes. And so when I have, you know, when when my when my automation scripts like a um well, I'll give you an example. One uh something that we just recently built was a uh um essentially it's like a like a it's an automation script that we run inside of like AWS SSM to basically validate that our security tools are running. Okay. Initially we had it, but it didn't give us a a positive like checkback, didn't give us that one value when everything was kosher. Um and it it wasn't running often enough. Um this was like we literally we did a CPIR test, and this is one of the results that we came back with was this isn't checking in frequently enough, we need to have it check in more. And of course, it was let's evaluate what is the like is this gonna cost more because of you know AWS billing? Um we we did it, we evaluated. Is this the right way to do it? Should is it really gonna like bog down our systems if we run this every five minutes, for example? Because you know, some real-time monitoring can do that. Um we're talking like think about like Wazoo's like FIM feature, right? If you if you try to real-time monitor stuff, you're gonna you're gonna eat up processor cycle. You can't even use the systems. Yes, fim's tough. And then and then think about it, Gary, and then you like like well, your clients are paying that bill, and but do you really need to monitor in real time if like you know, qualist.conf has been changed or not. Um that that's where a lot of this that that's where the whole like, you know, come that's where the the compliance and engineering meet is what so that's where so when I say what actually needs to be automated, that's where I'm going with it. Like so let me let me let me expand on that with with two things, right? So one is, you know, all right, cool, the service is running, right? But is it working? Yeah, that's the second part of that, right? So you know, you really need to get and the problem is is you don't really realize that until you actually start monitoring whether or not that service is running. So that's like to me is the entry level in. So is a service actually functioning and am I getting re results from that? So you know, like logging as an example. Everybody checks to see if you know they have ingest, you know, pipelines. Okay, I got my ingest pipelines. I have everything pointing at my ingest pipelines. All right, am I getting data from the right things at the kind of regular interval I expect it? So you know, you have to put those kind of checks in place as well. This is one of the things I I like to call them which are operational security controls, not necessarily compliance per se, but really operational security controls to ensure that I am getting, you know, the audit logs or that that service is up uh up and operational, um, not just up, but operational, right? Um and then the second thing really is okay, so now that is it feeding me the right information and is it feeding it to me often often enough? And I think that's where sometimes people don't take it to that next step as well. Am I is it coming often enough and is it coming from the right sources? Oh, shucks, we haven't received anything from this source in the last hour. What's going on with it? You know, yeah. Oh, well, there's a jam right over here. There's something jammed it up, and we got to go unclog that jam. So that's why operations and security to me are go hand in hand. And then the compliance is are you doing that stuff on a regular basis? You know, just because it's jammed up doesn't mean you're not compliant. It just means it's jammed up and you need to go get get it fixed. Gary, it it's it's like ordering a pizza, right? When you order a pizza, the first thing you do is you peek in that pizza to make sure it's the right one. Yep. Right? So just because I received data, received a pizza, doesn't mean that it's the right one. So let me check, you know, like is why, why, why is there like you know, bell peppers and anchovies on this thing? And then that's not what I put. That's not what I that's not what I put it on my order, right? That's not what I so it alert. Great analogy. That's a great analogy. And I'm gonna steal that from you. I'm gonna use that uh in the future myself. Because it's I think that's a lot easier to understand than what I just described took me five minutes. Yeah, well, no, but it that like fundamentally though, I think that's like look, uh obviously you're much higher, you're higher much higher up in your organization, right? Like, you know, I'm I'm pretty high up in my organization, but a lot of the people that we have to deal with aren't necessarily like technical uh folks, and we're having to explain compliance to them and the security side of that compliance. And so we need to be able to explain, like, you know, yeah, like the reason why you're spending you know $20 more dollars a month on Lambda functions is because you know, we need to make sure that it's the right pizza. Yep. Um exactly. Yep. We we we know I might be I I might be high up in my organization, but I still do code a little bit here and there. So listen, so I actually uh um so apparently my I I did a CPIR test last week with one of my clients, and apparently everybody liked it so much that they decided that this is the new way that we're doing CPIR testing. And so I actually went ahead and uh um I made a like a bash script to basically run through I I set up here's a bunch of uh like like essentially scenarios that can happen on this, like on it's a utility server. It can, it can nobody's gonna miss it if it's down for 20 minutes. Throw some chaos monkey stuff at it, right? Exactly. Yeah, throw some chaos monkey, screw up some permissions, turn some stuff on, turn some stuff off, like you know, and it basically just kind of like it says pick three of these and execute them, right? Right. Um, and so like I I I put that together to last two days, and then essentially I come in and I basically am like like game mastering this scenario. Um so I pick one of my engineers, he's it's it's one of them is always I I tell them you're fired, and then they run the script. There you go, is basically what happens, right? So that's that you know, we're we're simulating a malicious insider who had system access. Here's what they did. We check to make sure that the audit logs are, you know, like doing what they're supposed to do. We investigate to see if we can attribute it to the person. Then uh we essentially we just restore from backup because that's an also a control requirement. Make sure your backups are valid. Like that's just kind of how we do it. That's the last script that I wrote. Um, and before that it was Wazoo Fim rules. There you go. So I write, I write uh Terraform and I write Python and um I do some Angular uh as well. So nice, nice. Uh I I I love it. It's it's not what I do for my full-time job, but it's something I kind of do on the side. Like, let me go. I I do a lot of POCs, if that makes sense. Um, this is what I want to see, guys. Now make it pretty and make it work. Listen, that's what I did this morning. I took my script and I was like, guys, I don't know if this is gonna work, but right this is kind of like like half of this is from like co-pilot. I don't even know, like I've never used some of this bash before. Like I was like, here's the parts that I know were gonna work, here's the parts that I'm like, I'm not sure. Um surprise, guys. And that but again, that's that's why like I like having the engineers that I have. Um but I think that's for me, that's why I love doing what I do, is because I can do those kinds of things. And I really think that the the industry that we're in, um the leaders need to be fairly technical as well, and so they can understand the the art of the possibility, right? That's kind of one of the things I always like to say is is you know, trying to figure out, you know, what can we do, what what can't we do? And um to me, what can't we do is is always just as important as what can we do. So, you know, in the in the last uh remaining time that we have, what I'd like to really talk about here is is is what do you think about you know where do we where do you see that we're gonna where the uh the FedRAMP kind of uh program or this could this compliance program is gonna be headed, say the next say three years. I won't say anything beyond that because to me I can't see past a year. So but it's three years. I mean you're better than I am at this, so let's go ahead and so you know this is this is where what where I'd say I think it's going. Um and I I I'm I'm gonna this is kind of a reflection of like the broader market. I think that I think that we're gonna have this phase of AI solves everything, and then I think that we're gonna end up pulling back from that. Um it's what's happening with a lot of like engineering you see in companies that are realizing like my Claude bill is more expensive than just hiring an engineer that can do it themselves. And the code's not as good. The code's not as good. Like, listen, like when I was vibe coding my thing yesterday, like literally Claude, like I was like, Claude, make this better, and then it made some changes, and I said, Claude, make this better, and then it just reverted all the changes that it did. So I'm like, okay, you're just like running me around in a circle here, and I know enough about what I'm reading to know that that's what you're doing. Um and so I I think that I think right now we're seeing this huge push towards AI, and I think that I think that we're at at some point we are going to see this like agentic AI deployed on our endpoints inside of these like FedRamp environments, and I think that it's gonna start going horribly wrong. Or at least I hope that it does, because honestly, I think it's a terrible idea. Um that's not the point. Like I I I think that it's bypassing the point of a large language model. It's it's trying to add like in like deductive reasoning into a s uh um a machine, and I don't think that that's uh possible. Um I don't think that it's a good idea either. And so I think that we're gonna I think that within a year or so I think. we're gonna see kind of like a a r a more of a I'm gonna call it a return to sanity where the automations like where when you send when you send data data A to a computer you're gonna receive B back and you always receive B. Okay. That's the difference between automation and AI, right? AI, you never know what you're gonna get. You could get a recipe for flawing. And so I think we're gonna start seeing a a a pullback um as because quite frankly we don't have the physical infrastructure to build out enough AI capability for what everybody thinks they want it to have. To truly get it to the reasoning piece, the system thinking piece, the critical thinking piece to be able to come back with real opinions that really mean what they should mean. Yeah and and look just look around like I it this is happening in my county as well. They're building a bunch of data centers and of course there's massive opposition to it. Whether their opposition is valid or not I'm not gonna that we're not gonna I don't want to get into that obviously but nationwide you're seeing companies wanting to build data centers and localities pushing back and saying no. Okay. Right I think that's gonna stimmy the possibilities of what AI is actually going to be able to do and at some at one at some point we're gonna go back to you know your more traditional like here's a SOC analyst here's automation that will help with filtering like AI instead of AI being a like a bipedal robot that is doing something AI is going to be like a hammer hanging on the wall and when you need to use it you grab your hammer or there might be an AI screwdriver. You grab that screwdriver and use it when you need to um I think that that's what we're gonna end up seeing. See I I you know I I I I I'm kind of in the same boat with you. I have a maybe just slightly better more hope you know I think it's always going to help us with the scaffolding you know the the root the root the root stuff you know give me a config um for X and it's gonna give me that config for X. I don't have to look it up for the latest you know provider or the latest language or the I want it in Python. Well no this time I want it in Rust or this time I want it in this. And it's gonna be able to pull that stuff out and then hang you know the scaffolding around that. So then it it can give you better answers you know around what you already know and what it already knows. It'll just do it faster, in my opinion. But now if you say go design me a system that does X, Y, or Z, I think that's where it's gonna come into the problems. That's why we still need to have, in my opinion, which is my next my next uh uh question is I think the skills that we really need to have in this future though is is really that system think that going back to that system thinking up front being able to look at the entire system what's going in what's coming out what's the transformation of the information you know on the inside what parameters do we need to have in order to to make those uh those those those translations as well it and and a lot of folks I don't know what I need to come in I don't know I don't know what my inputs are I don't know what my output is going to be if you don't know that then you're never gonna really be able to design um you know true systems I mean to me to me you know it it like take take a medieval peasant from a thousand years ago and and tell them like here type whatever you want to build a computer program this terminal and what do you think they're gonna do like they're gonna they're gonna burn you at the stake um like or they're gonna ask you to build a pyramid I don't know like but there's you know we have you have to keep that like that's why I say that like one thing that I think is really important is is the concept of training our juniors to basically do our jobs in 10 years because otherwise we're gonna be stuck working forever and I want to retire. Like I 100% agree. And you know we have I am a firm believer believer in working yourself out of a job. Yes and but all but also if we if we take these juniors and we never teach them how to become seniors or we replace them with AI then there's going to be nobody around to fix the AI. That was literally the entire point of the movie Idiocracy was that they automated everything. And then the quote of idiocracy and then nobody knew how it worked. Like the same thing happened in Wally think about it. Remember Wally Wally had the same story right we we we automated ourselves out of understanding what we were what we were managing and that's when we we can't do that. We have to if we replace all of our juniors with AI then there will be no seniors in 20 years. Correct and folks have to remember that and realize that so we use it as a tool we use it as an augment. Now I like that I love that philosophy. In FedRAMP world this is what I'll say Gary I think that the next consolidated rule set is what I'm the most looking forward to because I want to see how radical the 20x push continues and how deep it goes like we were talking about earlier does it go into the IAS level does it go into the IL levels? Like is Waterman able to beat the DOD over the head with his like M2413 stick until they accept his vision of what FedRamp is going to mean? I don't know. I don't know the answer to that um I would like now I I will say and I like the concept of 20x but I also think that Rev5 has its place and I like I I kind of I I actually I kind of like the structure how it is where your SaaS apps go 20x and everything your IAS your past that has to stick with Rev5. I don't have an issue there. Can can I add can I add one flavor that though the one thing the one thing that I think that doesn't create the comp competitive marketplace is that need for that sponsorship. Yes. Right? So that i if they decide they want to do it that way then in my opinion they they really got to carry that part through as well you know like the old jab used to be that you know to to give people the possibility because you know this is a catch 22 right I know you you see it every single day out there in the marketplace. That part has to stick so you so now that I have something guess what now I can I can go sell it. Hopefully you're building your pipeline up the entire time but a lot of a lot of proposals and RFPs come out and say if you're not FedRamp moderate or FedRamp high guess what? You can't bid on this I the AO thing is always like I'm so glad that's on that's the thing I like the most about 20x yes um 100% keep the AOs out and I I hopefully what happens in the long run is that the PMO can get the funding so that they can do a lot of that like uh like a like essentially AO management. I said it before like in a there was an RFC that the FedRamp put out and one of the comments about a um spot like having the PMO sponsor like ATOs. And my like comment that I sent in was basically saying like this needs to happen but it needs to happen for tools that are going to be useful for like the FedRamp ecosystem where I can't get an agency sponsor. So like you know Pramify is a really good example right like no agency would ever use paramify. They don't really have a purpose for it. Pramify is meant for the FedRamp marketplace in in general and that's who the PMO should be sponsoring. Basically those those things that are useful for all of us with FedRamp authorizations that like couldn't get an AO. Right. You know any any of us you know we have a PaaS is what we have right ourselves. So we have secure hosting you know and we have SSP module we have ticketing system but it's really designed you know for the FedRamp ecosystem. So if you want to if you want to you come host with us or you'll pop right next to us it's very easy you know to to uh to leverage those services. But if you're not authorized, you know what what's ended up happening is now I've built it 25 times, right? And I I have to now support that 25 in 25 different places. So they're not really getting the true benefit of a a a cloud solution to where I could have all of it in one location and then manage it you know manage all that information in one location. And and and that's where the PMO giving authorizations would accelerate the Federate marketplace as a whole. Yes. And that's so that's one thing like I like if Waterman is watching hopefully he does that's what he needs to do. I expect LinkedIn I think he listens he says he listens on on his uh on his his workouts so oh good good phew so yeah that that's my like we we we need that we need the PMO needs to be focused on expanding the FedRamp marketplace. And then we get rid of the agency we get rid of agency sponsorship and so that now when an agency wants to use the product then they become one of the like you know they sign on they they each agency gives it its ATO I've that part of it is fine but the part of your FedRAMP ought like certified now no a no agency should be involved in that aspect of it. Correct 100% agree with that and I and I I'd like to see it uh kind of continue and expand uh in that way so all right so um real quick how about uh any questions for me uh we've been uh I've been peppering you with questions do you have anything for me my for myself that I could answer for you so I I do have one Gary and I I you might know where you might know where I'm going with this okay so I'm wondering about I I want to hear the background on the logo and the knight and the armor. No you don't I'm just look all right is secret Renfest like if if if that's the case like I can I can forgive you. No um let's just say um how can I explain this real quick I'll do it real quick. So um I'm a DIYer I'm uh we're privately funded everything that we do we do out of our own pocket right so I designed the first logo which was the little circle which which you probably don't not even aware of right I I actually loved it because it was infusion points every we we we integrate or infuse cybersecurity at every point in the life cycle that's what it was it was a it was an oval with a with that right so so I hired a whole bunch of new guys they came on they're like I don't get it I don't understand it you know we want to get we want to do something new so I said okay let's do something new so the the night which is over here I don't know if you can point the camera over there real quick so the night I actually purchased at a um I purchased at a local yeah go ahead you that's fine just go ahead and there you go you gotta turn it there you go a little bit more there's the guy that's who I'm talking about there you go so I purchased him at a local store and they were going out of business um and um I paid X amount of dollars for it can't remember exactly how many dollars I paid for it and I was like this is what I want my logo to be we're gonna be the defenders of everything right so when the guys came up and they came up with the first logo it was this really wimpy looking night and I was like I don't like it I want something like 300 I want something like 300 you know the Spartans you know so then there you go it ended up being being the Spartans so we that's how we ended up with a mask and the shield. So they don't exactly match anymore uh but that was what the plan was and we're actually going through a rebranding right now as well. Oh no can we get can we get a can we get a sneak peek Gary can't do a sneak preview yet um but I will say that it might have some orange in it. How's that sound? Just a little bit a little flavor a little flavor of orange. I think that'll be fine. Listen but my whole house is painted bright yellow inside so like you know I'm all about the uh I'm all about the pop. I was looking to see if I had my orange shoes on today. I usually wear orange shoes but I I got a really bad stain on my orange shoes yesterday when I was walking so they're in they're in the wash I got my blue shoes on today. So but uh no thank you for that and and you know we really do live uh in our in our minds like Spartans I mean every everything that we do is all about uh about the Spartans in the 300. You know thinking about uh the the few protecting the many is kind of kind of what we say and um it's it is kind of important to us. So the Spartan theme will continue. So I'll I'll I'll keep it at that it's just uh the logo will change um probably sometime in the fall we were gonna try to do it in the June timeframe but uh here again to being a DIY company um you know it's it's hard to get everything prioritized if that makes sense. So I I totally get it. Listen I'm I'm just I'm glad that if I ever have to do a rebranding one of my juniors like does like all the artistic stuff. Like I I can't tell you how many times Gary I've been like hey here's a document make it look pretty and then what it comes back is like nothing like what I made like this I'm a stick person die drawler so that that that definitely uh makes it a little tough. So one of them called my style brutalist and I was so I had to look up what brutalist meant and and then I see like as like you know like like all these like you know Soviet bloc like apartments and I was like yeah that is my aesthetics. My bad yeah no I try but I can't I'm not an artist at all. I do woodworking but that's it that's about it. So anyway let me ask if you don't mind if I just ask you three personal questions not really that personal. You know so just um what what's uh what kind of a books do you like or what but kind of books do you recommend most recent read or oh I can grab I can go grab those for you I got them sitting right here. So Dune Saga all of them okay I have all 19 of them up here um highly recommend oh my gosh um wow so what I'm reading right now though um I actually there's this uh book series called uh um West of Eden by Harry Harrison and so it's a what if the dinosaurs never went extinct and actually evolved side by side with mammals um and uh um I read the first book as a kid and then when I was looking around at a bookstore I saw that it was actually a trilogy so I had to get all of them and so now I'm uh rereading them. Um but I'm a big science fiction um especially like old school science fiction the Asimovs Frank Herbert's oh there you go there you go me too you too yeah it's my craft I like horrors and pandemic and uh end of the world books and movies as well so so how about movies uh TV shows um for yourself oh boy so uh um hands down Stargate definitely my favorite TV show of all time um um movie too um uh movies okay I I I like I I listen James Spader and Kurt Russell are amazing but like like MacGyver and Michael Shanks like kind of like oh right they they they definitely knocked it out of the park for sure. Exactly been one of my favorite shows for a really long time. Of course I I've watched Star Trek God knows how many times at this point um I will say Star Trek Voyager is better than Deep Space Nine um I don't come at me um I was never a big fan of Deep Space Nine uh I I do like Voyager as well I like moving as opposed to staying on the edge Deep Space Nine I in it wasn't good when I first watched it when it came out it was boring because I was like a kid um right and then when I tried to watch it in like my 20s it was also really boring and now it all kind of makes a lot more sense. So watching it late in your in your slightly later later years is more entertaining but still back on uh I've been going back through um different um shows uh for Star Trek and watching them uh here recently because the new shows it's okay I will I've looked at it a couple times yeah and right now what I what I'm watching right now is a um uh uh Farscape if you remember that one oh yeah that was good yeah I I I think I'm gonna start incorporating all of their curse words into more of my normal like uh um vernacular you know like Frell and Dren and uh oh yeah maybe that's what I need to do because I was ready I was I was doing the Frell one earlier today and I had a few people laughing at me but I wasn't saying Frell. Yes exactly like it's it's a it's entertaining it's off it's unhinged it's a little off the wall um so you know I but big a um just like my books I like my TV shows a little older too. There you go. There you go. All right so we're also um um kind of a give back organization we do uh lots of um uh support to local um nonprofit agencies and things like that do you do anything like that that you want to give a shout out to um so probably the biggest one uh there's there's one in my area um there is a it's kind of like a conglomeration of uh um the Goodwill um in our area works with an organization called Platoon 22 uh which is focused on essentially veteran assistance um one of the things they did very recently um is they actually essentially they were able to put in their own like halfway house they bought like an old hotel remodeled it and they're able to give people like places to stay beds um while they're especially um while they're waiting for like help through the VA or through some sort of like inpatient program. Some folks just stay there the whole time because their needs are not as uh as severe um and so they've been uh um they've been doing good work for a really long time and uh you know I'm happy to support them. Good, good. We do a lot for what we call the child abuse prevention uh team down here in uh in North Carolina and then we also do uh with the Special Olympics uh my son has Down syndrome so we we stay very heavily involved in uh in that community with group homes and and all that as well then we have some folks here who are rescue people they like to save animals you know uh quite a few of them are rescue people here it's national uh rescue dog day so oh well there you go in actually it won't this won't come out today but it still matters guys every day should be national rescue dog day and that's Caitlin if you didn't know who Caitlin was that's who that's Caitlin who the voice behind who's our big uh um uh kind of uh dog person here I was walking by by walk by our house the other day and uh it's it's near the trail it's near the trail that I always walk on it's really beautiful about living where we live is you can walk pretty much anywhere and and not worry too much about getting run over but I really got worried at one point that all the dogs barking at our house was were going to come down the hill and come after me. So I I I texted her and said so what's going on in your house today? We have four. They have four rescues foster fells. Yeah there you go there you go so I I just have chickens um as my LinkedIn profile shows um like but I have my my flock is full um I can't I don't have space for anymore um chicken math is a is a killer I started out with like six and now I have 23. Wow and I think that's a lot of eggs listen yeah I I have I have the little egg sign uh you know up so if if you're ever in the if you're ever in the Frederick Maryland area and anybody needs some chicken eggs like please like western Maryland right that's in western Maryland it's like it's like northwest of DC yeah so um it it used to be a lot more remote let's just say that and now it's gotten pretty built up um so oh yeah yeah out 70 right out 70 got it got it I grew up in Cecil County so you know okay yeah yeah that's in the that's the northe uh northeast uh corner of Maryland over by the the Conowingo Dam. There you go. There you go. Yeah my sister lives in Cottawingo so yeah nice well Eric this was uh was it was an absolute pleasure and I hopefully you enjoyed it as well. Listen Gary would never would I go down to Boone next time with the trailer and everything like we're gonna do like an inverse and check it out. We're right we're 30 minutes uh we're 30 or 40 minutes away from boon uh matter of fact you have usually have to go through uh Wilkes uh to get uh to boon depending on how you go if you go down 77 and you cut across 421 there you go we're right there on 421 I'll let you know I'll I'll come down I I gotta I gotta see the data center at least you know or your one VM it's left so we've actually gotten rid of most of the most of the racks um I think I might have six left so nice nice thank you thank you very much for your time uh that was another episode of Behind the Shield you might not always find me at behind the shield but you always find somebody from Infusion Points behind the shield. Thank you very much and peace out