¶ "Mastering RMF Real-World Skills"
[SPEAKER_04]: Again, I'm a software developer, so I'm a fine-the-process and automated. [SPEAKER_04]: I kept telling him, we got to do something different. [SPEAKER_04]: We talked about it for you. [SPEAKER_03]: Well, and I kept complaining about the process, too, and how many aggravations I was hearing from different people. [SPEAKER_03]: So it was a lot of conversation back and forth, and then like Dale said, he was just like, this has got to get fixed.
[SPEAKER_01]: Like, what have you noticed that the government is using? [SPEAKER_01]: And they're not using software, like you said, they're using Excel sheets? [SPEAKER_04]: A lot of them are using Excel, we're at PDF. [SPEAKER_04]: Yeah, and then Joe using E-MAS because there's this small subset of people that get to E-MAS This is just not in the whole team has to help you get the data No, go in to you.
[SPEAKER_04]: So that's where we've we fit into collaborate to get the data correct before goes into E-MAS a lot of the groups are using right now a lot of the groups are using file based stuff. [SPEAKER_04]: Yes, even in 2026 [SPEAKER_01]: And that's not secure, right? [SPEAKER_01]: And that's not really secure to, like, stay, he's putting a stick. [SPEAKER_03]: I mean, it isn't, it's not.
[SPEAKER_03]: I mean, if you think about it, you're passing it through secure emails, especially if you're working for, like, DOD or something like that, they have their own secure email system. [SPEAKER_00]: You probably have a security plus, maybe even a security clearance. [SPEAKER_00]: And nobody taught you how to write poems, or how to test a security control.
[SPEAKER_00]: For us to meet at ATO Package, I'm Chris Agpala, I fear years ago, I was in your shoes, all the five on paper, [SPEAKER_00]: I had a degree, I had to serve, so I had to drive, and what somebody said, how to test the AT2 control, or got a date to stick by this. [SPEAKER_00]: I had no clue what that actually looked like. [SPEAKER_00]: Fast 4 or 5 years, I worked across DOD and federal agencies, lead control assessments, ring ATO package, and pass orders.
[SPEAKER_00]: That's why I built our North Academy to teach you the real-world execution. [SPEAKER_00]: They don't cover in certification books. [SPEAKER_00]: Inside, I'll show you how to write a poem. [SPEAKER_00]: And don't get bad as bad. [SPEAKER_00]: Test and dialed the security controls. [SPEAKER_00]: Translate tech jargent. [SPEAKER_00]: Navigating this 853 and horror map with confidence.
[SPEAKER_00]: If you're in IT support in the government systems or stuck on edge of the security, this is your way. [SPEAKER_00]: The people who go through my training don't just get hired. [SPEAKER_00]: They hit the ground running because they practice the work before they win. [SPEAKER_00]: Go to horror mapercatemy.io and let's get the work. [SPEAKER_01]: Welcome everybody to another edition of the Tech World Podcast.
[SPEAKER_01]: I'm your host Chris, I'm Especials and Society of God Tech Space. [SPEAKER_01]: And on today's podcast, we're going to talk about how our math can be better and proved inside the government space. [SPEAKER_01]: And in this podcast, we've got two great guests to help talk about that topic in particular. [SPEAKER_01]: So we have Dale and we have David. [SPEAKER_01]: They'd have found it a soft terror software.
[SPEAKER_01]: They also created a tool called OpenRMap and created many other tools inside the RMF space. [SPEAKER_01]: And without further ado, here you go, Dale and David, how you doing? [SPEAKER_01]: Good. [SPEAKER_01]: How you doing? [SPEAKER_01]: So I appreciate how both come in today, I want to say today, hope it doesn't snow, I hope them. [SPEAKER_01]: But the fact that I even came on, thank you for coming on, how you all dig on.
[SPEAKER_01]: Good. [SPEAKER_01]: Yeah. [SPEAKER_01]: Good drive up too. [SPEAKER_01]: Yeah. [SPEAKER_01]: You saw a lot of sand and a sight sand? [SPEAKER_01]: No, I was just clear. [SPEAKER_01]: That's all I was worried about. [SPEAKER_01]: So not too long ago, Dale, you know, I thank you for reaching out to me. [SPEAKER_01]: And thank you for both doing the demo. [SPEAKER_01]: I got to learn about child, learn about the software I created.
[SPEAKER_01]: And from y'all talking about it, y'all touched about everything that y'all can talk about where there was an automation, a stick automation, and you know, S-bombs, things that's gonna help out in the government very in the future. [SPEAKER_01]: But overall, before we even get into that, I just wanna know, [SPEAKER_01]: Who, just, both, you know, take some time, who are you on? [SPEAKER_01]: Just explain who you are, which, uh, you can go first, man.
[SPEAKER_04]: Yeah, so Dale Bingham, um, I would, uh, I would do your resume on the right down the street here, uh, been a software developer forever in the government's base starting in RL all the way through DIA, uh, NAFC, uh, where I may Dave, um, he and I basically met back in O'Fort. [SPEAKER_04]: He and I were also the leads in essence, so we were told, hey, we have these new steaks.
[SPEAKER_04]: Here's a state you are here to check this, fill this out for us, and we were thrown into the belly of the beast in essence. [SPEAKER_04]: So from then forth, we were trying to figure out how to make that faster. [SPEAKER_04]: and how to make that easier, how to make that better, take all the hard-eak away, because for us, that was the other duties as a son, and we still had to get our job. [SPEAKER_05]: And too? [SPEAKER_04]: So yeah, we've been doing assistance.
[SPEAKER_04]: It's 20, 20, a couple of years. [SPEAKER_04]: Yeah, same day, what about you?
¶ From Help Desk to Cybersecurity
[SPEAKER_03]: Yeah, I started off a little much different than needed. [SPEAKER_03]: I started off at the help desk, you know, working my way up as a saffron, became a network engineer, systems engineer. [SPEAKER_03]: Give it a title, you know, the roles. [SPEAKER_03]: And then I kind of went to the dark side as a lot of people talk about the cyber security side. [SPEAKER_03]: So I've seen it from both areas.
[SPEAKER_03]: I've gone and had to do scapskans, do patch scans, try to report up and you know the kind of proverbial joke, I've got all my data thrown over the fence and let it go. [SPEAKER_03]: I even gave Dale his very first app-dev stick chip. [SPEAKER_03]: Oh, yeah. [SPEAKER_03]: Yeah, and I mean, it was funny. [SPEAKER_03]: He was my boss back then at that particular role. [SPEAKER_03]: He hired me and We make the joke. [SPEAKER_03]: He sent me to Iraq.
[SPEAKER_03]: This is the most later. [SPEAKER_03]: So we know how much people hate it It was very manual very difficult, and so that's kind of when we come out two different backgrounds But meshing together to kind of come up with this solution [SPEAKER_01]: Okay, so yeah, we got each other, he hired you on, and then you're just linked and connected. [SPEAKER_04]: Yeah, we work well together. [SPEAKER_04]: We just, we just happen to work well together.
[SPEAKER_04]: We overlap a little bit, but we have really different skills. [SPEAKER_04]: But together, it's more like multiplication and then addition. [SPEAKER_04]: We really work well together, so it's. [SPEAKER_04]: That's why we've been working since for 21 years together. [SPEAKER_01]: Yeah. [SPEAKER_01]: Okay. [SPEAKER_01]: Okay. [SPEAKER_01]: So at one point and I don't know we talked about it. [SPEAKER_01]: It's like what what happened? [SPEAKER_01]: What did I say?
[SPEAKER_01]: Okay. [SPEAKER_01]: This process is messed up and we need to fix it. [SPEAKER_01]: What did I figure this out? [SPEAKER_04]: Right. [SPEAKER_04]: So probably so we started in O4 2004 at the Navy AirD Technology Division. [SPEAKER_04]: So we went there and then it was PSI packs. [SPEAKER_04]: Yep, and then there were a couple of other spots and probably a third or fourth company that one of us pulled the other one too. [SPEAKER_04]: I think it was no better up in Boston.
[SPEAKER_04]: I was like, you know, this is, we're doing the same thing over and over and over again. [SPEAKER_04]: Everybody's doing the same thing. [SPEAKER_04]: We're still spending so much time. [SPEAKER_04]: Again, I'm a software developer. [SPEAKER_04]: So I'm, I'm a fine-the-process and automated. [SPEAKER_04]: I kept turning and we got to do something different. [SPEAKER_04]: We talked about it for you.
[SPEAKER_03]: Well, then I kept complaining about the process, too, and how many aggravations I was hearing from different people. [SPEAKER_03]: So it was a lot of conversation back and forth, and then like Dale said, he was just like, this has got to get fixed. [SPEAKER_04]: So yeah, 2015 or so started to learn some technologies. [SPEAKER_04]: Like I said, 2018, we put our first, their oversword GitHub out on Christmas Day, laying around one to two o'clock.
[SPEAKER_04]: in between, in between different parties or whatever. [SPEAKER_04]: We started then and been going ever since. [SPEAKER_01]: Yeah. [SPEAKER_01]: Yeah. [SPEAKER_01]: Yeah. [SPEAKER_01]: I'm doing very well from putting it on GitHub, you know, and to, you know, fixing things now you can literally with your software, take it and add it to emails now. [SPEAKER_01]: So it's like, yeah, I'm doing so much. [SPEAKER_01]: So that's crazy. [SPEAKER_01]: I mean, just got to just do it.
[SPEAKER_01]: So to the audience, a lot of people don't even know what Armette is, like, say, for example, I want to outside looking at what is the Armette process?
¶ "Understanding Frameworks and Perspectives"
[SPEAKER_03]: So I mean, well, and everybody has their own perspective, you know, to be fair about it, but in my perspective, it's always been that it's very simple. [SPEAKER_03]: It's a framework, and if you consider that it's not going to give you all the answers, it's not going to ask you for all the questions. [SPEAKER_03]: It's a framework that you build around. [SPEAKER_03]: I think the biggest thing, and I'll give some positives to it that, you know, when,
[SPEAKER_03]: At least DOD, you know, kind of took that as their framework to work with from this, making the CCI correlations from the stigs all the way down to each of the families and kind of giving a general idea of, okay, now I understand how this piece goes together, but a lot of people don't know the pieces, you know, it was a lot of learning it, manually doing it, trying to figure it out, not even knowing what you're doing, like I said, filling out a stick checklist and just filling it over there.
[SPEAKER_03]: So that's kind of where the idea came from was like this should not be automated. [SPEAKER_03]: It shouldn't be something difficult and the tool itself should teach somebody who doesn't know RMF. [SPEAKER_03]: So if I'm filling out a checklist and I'm seeing the results and then it's telling me, hey, it answers to these controls, these particular families of controls, all that should be correlated together to somebody who could learn it.
[SPEAKER_03]: and still be able to do the job and automate the solution for it. [SPEAKER_04]: What was funny is I came out of just because I was like, I'm tired of using a stig viewer and it's tired of having job on my machine and it's a file that on email is 75 people. [SPEAKER_04]: So that was kind of ridiculous. [SPEAKER_04]: That's where it first got to me. [SPEAKER_04]: So we automated that part.
[SPEAKER_04]: But then what Dave was telling me where you got to take that and then there's statements and other stuff. [SPEAKER_04]: and then there's controls, and then there's sub-controlls, and then there's CCIs, and I'm like, what the heck? [SPEAKER_04]: So he walks me through the process, and I was like, how do you, how do you not get frustrated? [SPEAKER_04]: And why are you doing this mainly? [SPEAKER_04]: I was like, this is, this isn't seeing, we have to automate this.
[SPEAKER_04]: Yeah. [SPEAKER_04]: So initially it was automate this checklist. [SPEAKER_04]: Then I started learning here. [SPEAKER_04]: The control, sub-controll, CCI, C-MIT, C-N-6, the catch-all. [SPEAKER_04]: You see, rolling up the C-C-I's and all the other stuff, and doing on that, so our compliance engine with probably one of the bigger pieces we automated in that space, it was way too manual, way too manual. [SPEAKER_04]: And it's still as for something.
[SPEAKER_01]: Yeah, because even without first guys in the field, I haven't been as long as I have, I've been working in the field for five years. [SPEAKER_01]: They literally throw me in, I don't even know what is an ATO. [SPEAKER_01]: I'm over here. [SPEAKER_01]: CCIs. [SPEAKER_01]: What does this mean? [SPEAKER_01]: Controls.
[SPEAKER_01]: Like, like you said, like, if the software is not teaching you what it is, [SPEAKER_01]: That's not a good software, you know, and I love that child saw that problem. [SPEAKER_01]: So, what are some misconceptions about the RML process, though?
¶ "Breaking Down IT Misconceptions"
[SPEAKER_03]: I think, for me, I think a lot of the misconceptions is first the frustration, and I mean misconception, it is frustrating, but I think part of it is, no one has a standard process of teaching it and explaining it to somebody, and I know when I came into the IT field, I knew nothing.
[SPEAKER_03]: my first computer a guy took me to a computer show and his name was Kevin and he was like okay which video card you want he was like PCI or ISA kind of showing my age now but you know I was like what are you talking about this guy broke it down you know ISA 16 bit PCI 32 bit if each bit of data is coming across to put it on your monitor and
[SPEAKER_03]: which highway do you want to be on 32 lane or 16 but to be able to bring it down to a simple level that anybody can understand, I think it's the imperative part and a lot of software companies, big agencies, that kind of thing just go, hey, figure it out, here's what we're telling you. [SPEAKER_03]: And I think we need to start simplifying things and stop looking at it with our big brains and going, well I understand it, you should understand it, simplify it and get it to be easy.
[SPEAKER_03]: And then everybody can work together as a team to solve the project. [SPEAKER_04]: super complex, you know, taking the other thing that we see a lot is especially for some of the bigger companies when you have to do that, they just throw bodies at. [SPEAKER_04]: Yep. [SPEAKER_04]: So let me throw a whole bunch of people at it.
[SPEAKER_04]: If I get paid for butts and seats, I should want to throw more people at it because I make more money to challenge with that is that that only goes so far. [SPEAKER_04]: Yeah, they don't. [SPEAKER_04]: So I mean, the complexity was one thing, thinking that it's all only technical or it's all only process or positive. [SPEAKER_04]: It's a [SPEAKER_04]: And then the other challenge that I know a lot of people that we do with talk about You know, I do all my stuff here.
[SPEAKER_04]: It is I don't want to look out for a year. [SPEAKER_04]: I don't want to look at it for three years And these to be continuous. [SPEAKER_04]: This will also work on this well So it needs to be more continuous not just a checklist, but checklist validated with like a last 16 like we're going to talk about later Look at the dashboard see exactly what's going on so it's not just a stable of approval the other thing [SPEAKER_04]: Um, that I've seen there's two sides.
[SPEAKER_04]: One is I don't want to do compliance. [SPEAKER_04]: I just want to do sub security. [SPEAKER_04]: And then the other side is, well, if I'm compliant, I'm secure. [SPEAKER_04]: Both of those are rough. [SPEAKER_05]: Yeah. [SPEAKER_04]: Yeah. [SPEAKER_04]: So, so compliance, compliance, cyber compliance is your pre-flight checklist. [SPEAKER_04]: And then you're doing cyber hygiene and cyber security, but there's a loopback. [SPEAKER_04]: So that's the other thing.
[SPEAKER_04]: We've been trying to tell people that for we were preaching that. [SPEAKER_04]: We've been evangelizing that. [SPEAKER_03]: Yeah, and while we've even talked about too, if you can, if you can free up the compliance side of it, if you can get to a more compliant system from a baseline, and again, this is about shifting, we've talked about shifting security left, and not building a system and then going, oh, now we have to make it secure.
[SPEAKER_03]: integrating that from the very beginning number one but number two if you can free up your people from compliance and it's automated and everything's being checked and validated and those types of things now I can get to cybersecurity now I can turn around and get some of the real stuff that needs to be done and it's fun to do get right. [SPEAKER_03]: but I've got a secure baseline that I can build upon so I can put the cybersecurity or a top of it.
[SPEAKER_01]: And that's the main thing when I first got into the few, I just thought you just had to hit check boxes. [SPEAKER_03]: You know, almost people thought. [SPEAKER_01]: Yeah, an SSP, but the thing I've learned over time is just because it's on SSP doesn't mean it's in your system, correct. [SPEAKER_01]: You know, it could be in your accident control policy now your system. [SPEAKER_01]: So is it, is it, are you really sick here?
[SPEAKER_01]: Or are your state, and then your state is too, like, [SPEAKER_01]: A lot of people do just dump a stick somewhere and they never dress it for three years. [SPEAKER_03]: So, well, and make the comparison, too. [SPEAKER_03]: Do you know that you have an access control policy, but do your stigs in your configuration match to what you're saying in your access control policy?
[SPEAKER_03]: You can say, hey, if we bring somebody new in and they've got to go through here, they've got to get this checked off. [SPEAKER_03]: So, it has to sign them off. [SPEAKER_03]: So, it has to create their account, blah, blah, blah, blah, blah, but does it make us password complex? [SPEAKER_03]: Well, if you didn't put that into the system for when he got to first log in, then you don't validate that.
[SPEAKER_03]: It's layers of pieces that go together, but understanding how that works. [SPEAKER_03]: That's the key piece. [SPEAKER_01]: And then also, I just want to put it in. [SPEAKER_01]: And I even with steaks. [SPEAKER_01]: Sometimes, sometimes, I can't do steaks. [SPEAKER_01]: It can be really a cap one. [SPEAKER_01]: Like, sometimes, I was, well, in the past, I was reading a cap two steak. [SPEAKER_01]: And I said, it's sent data to Microsoft.
[SPEAKER_01]: I mean, you know, working with government systems if it's sitting at the Microsoft, like, that's really bad, because it's not the at all. [SPEAKER_01]: That's the cat one right here. [SPEAKER_01]: I wouldn't do that. [SPEAKER_01]: Well, depending on what data's being said. [SPEAKER_01]: Yeah, and it depends on what data's being said. [SPEAKER_01]: So this is, that's what we need to get. [SPEAKER_01]: And that's kind of leading into the question, right?
[SPEAKER_01]: Why do you think the government's so stagnant when it comes to that stuff?
¶ Improving Processes Through Communication
[SPEAKER_03]: I think, from my viewpoint, I think number one we have, [SPEAKER_03]: Yeah, and I don't want to pick on the leadership because we've got good leaders, we've got bad leaders that happens in every organization. [SPEAKER_03]: I think part of it is we've gotten used to and then we just kind of fall into that.
[SPEAKER_03]: Nobody looks at improving or making a process better and I think part of it too is leadership doesn't see what the people that are actually implementing what they've said and the frustrations and the difficulties in the time consuming this going on. [SPEAKER_03]: So I think it's more of communication across the board and going, it works, but how do we improve it? [SPEAKER_03]: How do we make it better? [SPEAKER_03]: Again, it's a framework.
[SPEAKER_03]: How do we make the house better? [SPEAKER_03]: How do we make the house stronger? [SPEAKER_03]: I've got a frame, but how do I make it better and more efficient? [SPEAKER_04]: Okay, so that definitely won't be. [SPEAKER_04]: I would, honestly, I would get back to the other the butts and seat mentality of the big companies. [SPEAKER_04]: They don't want to be efficient because they make less money.
[SPEAKER_04]: Yeah, I mean, if we're being brutally honest, this is what it is, that's one child. [SPEAKER_04]: So are you incentivized to actually make it better and improve on it? [SPEAKER_04]: Coming in and trying to learn RMF, it's massive and complex. [SPEAKER_04]: So again, if you don't have a structure, if you don't have a system of place in the structure, or you're not going, you're not teaching RMF ahead of me, it's something like that.
[SPEAKER_04]: If you're not going in and you're thrown into the wolves, you're jumping in and you're going, how do I relate? [SPEAKER_04]: Oh, this goes too much. [SPEAKER_04]: So even just having our application, [SPEAKER_04]: To the point where you can see here. [SPEAKER_04]: Here's my controls. [SPEAKER_04]: Here's my part of the team Your arm-off is a team process. [SPEAKER_04]: Here's my part of the team, but how does my part of the team? [SPEAKER_04]: How does that play out?
[SPEAKER_04]: If we were football team, I'm black and silencer. [SPEAKER_04]: Somebody's running behind me. [SPEAKER_04]: You know, there's a play option pass. [SPEAKER_04]: The quarterback gets to throw What are all of our team members doing and how do we get that job done? [SPEAKER_04]: That's another big one that I I I believe no [SPEAKER_01]: And I agree, so sometimes, I think, in shout out to Aaron McKenney, maybe we'll learn some, take our RMF Academy.
[SPEAKER_01]: But if, and I thank you, thank you, thank you. [SPEAKER_01]: And I know Y'all do training as well on your website also. [SPEAKER_04]: I'm training coordinator. [SPEAKER_01]: Yeah, I see it, but is RMF the real issue, or is it the agencies? [SPEAKER_03]: It's a combination, again, it's a framework. [SPEAKER_03]: Understanding, even if you learn math, there's a structure to a formula. [SPEAKER_03]: Once you know the formula, it gets really simple.
[SPEAKER_03]: It's a matter of learning the formula. [SPEAKER_03]: It's a matter of also learning what steps are involved in that formula. [SPEAKER_03]: And what order they need to happen. [SPEAKER_03]: I think part of it is a lot of the things that we've talked about. [SPEAKER_03]: Number one, [SPEAKER_03]: teaching people, making sure they understand coming into it's a complex thing to figure out.
¶ "Streamlining Solutions and Efficiency"
[SPEAKER_03]: Making that simplified, I think in a short period of time we've already discussed it and I think a lot of people are going to go away. [SPEAKER_03]: I mean, I kind of understand our math better now and we just had a 10, 15 minute conversation, but it's that and then again the butts and seats things. [SPEAKER_03]: those individuals that make those choices.
[SPEAKER_03]: I mean, if you can tell me I'm going to make a million dollars if I can handle this problem and I know I can make two million if I tell you it's going to take me this, this many people to do that and you're going to agree to that, then I'm going to take my two million in broad.
[SPEAKER_03]: But if I can tell you, hey, I can do it with half that number of people because I have this piece of software that compel this data in and correlate everything that everybody can work together in as a team to make sure we're solid. [SPEAKER_03]: Well, then I just saved you a million up. [SPEAKER_03]: So it's a matter of having the right mentality, the right attitude, and wanting to be successful and get something that's going to be better than it was before.
[SPEAKER_03]: That's my opinion. [SPEAKER_04]: The other piece that we constantly bump into is when you're submitting your stuff to the government or they're asking for everything, they're asking for eight ways to say the same thing. [SPEAKER_04]: They're asking for all your checklists, they're asking for all your policy, all your procedure, your plan of action milestone, that'll be up to date, not three months ago.
[SPEAKER_04]: Your checklists should have been yesterday, not in that in a month or two or three years. [SPEAKER_04]: And even your checklists have to be within the 30 days, aren't they?
[SPEAKER_04]: We know, because we've been doing this Ditscap die kind of on the Seaman Sea, February and Blubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbubbub
[SPEAKER_04]: and you're going through your day, I'm already doing my scans, so let me throw them and open all my pro. [SPEAKER_04]: And then let my, you know, the person has claimed, you know, the PM, the analyst, whatever, she can actually make sure it's all updated and loud. [SPEAKER_04]: We know where we are. [SPEAKER_04]: Data calls are done real quick. [SPEAKER_04]: Now, let me get back to my other job. [SPEAKER_04]: So it's, it's just part of your workflow versus the O about away.
[SPEAKER_04]: Yes, the other thing that we've run into. [SPEAKER_03]: I mean, example of the opposite of that, and this is the problem where you're trying to fix, we work with a group, Dale and I both, and my team, I took care of the sisav and team, and the network av and team, hey, I need all your checklist, and I had to kind of give them to this lady, and she was supposed to keep our poem up to date.
[SPEAKER_03]: That was half a day's works every day, trying to collect that data, update that poem, get the information over to the government and everything, 50% of a person. [SPEAKER_04]: Yeah, 50% of the FTE, yeah, that was the third or fourth company where going back to your question, when did it click? [SPEAKER_04]: That one was like, this is dope. [SPEAKER_04]: This has to fix this, then we're not going to wait on the government to fix and it's going to take too long.
[SPEAKER_04]: So we'll automate show what how it's done. [SPEAKER_04]: So we started with the Ubisoft one now. [SPEAKER_04]: We got the Professor of Versailles, but yeah.
[SPEAKER_04]: So that was the other big kicker, but yeah, just time saving and getting all the data right and updated and in a format that the government can accept, leading into the, you know, [SPEAKER_04]: Automation is some of the year that you're automating S-bomb, you're linking it with some of the other things we want to talk about. [SPEAKER_01]: Yeah, I understand what you're saying on that. [SPEAKER_01]: Especially, I didn't want to go back double down on the issues.
[SPEAKER_01]: The biggest thing is education. [SPEAKER_01]: So, education about what's going on is it will help. [SPEAKER_01]: And then maybe the agencies can be congruent because everybody does it differently. [SPEAKER_01]: Odessa, Navy, everybody does it differently. [SPEAKER_04]: Even inside of them they do a demonstration. [SPEAKER_03]: And that's another thing that's another thing. [SPEAKER_03]: By using open-arm effort, you've standardized your process.
[SPEAKER_03]: Build your process is around something that's a solid solution. [SPEAKER_03]: I think that would benefit a lot of people too, and I'm not trying to sell our software. [SPEAKER_03]: I'm just saying whatever software I think ours is great. [SPEAKER_03]: That's all for you. [SPEAKER_01]: We've got a great answer.
¶ "Streamlining RFP Team Collaboration"
[SPEAKER_01]: Yeah. [SPEAKER_03]: An open-arm ref professional can standardize your process. [SPEAKER_03]: It's a team collaboration tool, so that's why it's going to standardize the process. [SPEAKER_03]: Because everybody's going to know, here's how we get the checklists and information in there. [SPEAKER_03]: These are the ones I'm responsible for. [SPEAKER_03]: We have a thing called Team Subpackage.
[SPEAKER_03]: where you can carve out those checklist areas and give certain people responsible or certain teams responsible. [SPEAKER_03]: If you're just their area of that entire package, but you as the ISSE can see all that data to handle the entire package. [SPEAKER_04]: You give it to some of the noise that doesn't really mean anything, plus they can't mess up what they don't have access to. [SPEAKER_04]: So which is a kind of, it's almost like a least privilege, which is, what?
[SPEAKER_01]: Yeah, it's a... Yeah, it's a... Yeah, yeah, yeah. [SPEAKER_01]: Let's see, we'll see about that, because I don't think a lot of people follow that right now. [SPEAKER_01]: But, but the move on, so you, you kind of, your both talked about some of the bottlenecks of the ATO packages. [SPEAKER_01]: You got poems, you got controls.
[SPEAKER_01]: talk about ways that your company doesn't and just talk about it in general like how this needs to be improved and we talked about continuous ATO many many times so wish our thoughts on that. [SPEAKER_04]: Yeah, so the first thing we tried to do, like I said, was automate the stick process. [SPEAKER_04]: So take your scapscans, your auto compliance scans, or your CIS, you know, all different plans from from nest to so whatever.
[SPEAKER_04]: And take those and automate those, track all the changes. [SPEAKER_04]: We have external APIs as well. [SPEAKER_04]: So do your scans to automate domain in the track, everything, you know, bulkheaded checklist, locking false positives, all the custom. [SPEAKER_04]: We had the poem as well as the live poem. [SPEAKER_04]: You add in your necessary patch vulnerability scans. [SPEAKER_04]: So you're already doing the scan.
[SPEAKER_04]: We didn't want to start where you hear our software. [SPEAKER_04]: You got to pay us $300 an hour. [SPEAKER_04]: We're going to come in for three months and map out your process. [SPEAKER_02]: No. [SPEAKER_02]: We've seen that with a lot of GRC fails. [SPEAKER_02]: So now that was our strategy. [SPEAKER_04]: Yes, so here's our software. [SPEAKER_04]: It's purpose built. [SPEAKER_04]: There's a particular niche. [SPEAKER_04]: There's a lot of people in it.
[SPEAKER_04]: There's a particular niche that we solve the problem. [SPEAKER_04]: You're only doing all your scans and everything else. [SPEAKER_04]: Throw your data in, automate around it, get all your vulnerabilities done, get your burned-down chart, get your software bill material, your hardware, your PPSM, your patches. [SPEAKER_04]: All that can come from all your scans natively from the ground up you build it. [SPEAKER_04]: Live Puma is in there.
[SPEAKER_04]: We add in compliance statements for access, training awareness training, your access, your PM, the instrument response. [SPEAKER_04]: So you add all that in, and then you generate compliance, and then you update across your team, generate compliance, and then you track your history of your compliance. [SPEAKER_04]: So let you know where you are, across your whole team.
[SPEAKER_04]: You can do that collaboratively like you said, airgapped, nipper, nipper, j-wicks, spetraxas program people, they subsets some sap programs that use us as their e-mas. [SPEAKER_04]: Could you can't be funness? [SPEAKER_03]: You can, you can. [SPEAKER_04]: But they still have to report it. [SPEAKER_03]: and they still want to do it so that they want to make sure they meet those requirements and things.
[SPEAKER_03]: And I think that's a big point too when you were talking about starting off with our open source version. [SPEAKER_03]: You know, checklist was the big thing. [SPEAKER_03]: We have, you know, this will put out stick view. [SPEAKER_03]: We all know about it and I'm not trying to talk about it, but it's a client-based tool. [SPEAKER_03]: I'm working on my checklist and then I got to take them, I got to save them off. [SPEAKER_03]: I've got to import my scans to them individually.
[SPEAKER_03]: You know, it's one at a time, one at a time, lots of time. [SPEAKER_01]: Can you break them up with client-based new audience?
¶ "Web-Based Tools vs. Client-Based"
[SPEAKER_03]: Yeah, so client-based is something that you would install directly on your machine. [SPEAKER_03]: So your workstation, your laptop, you know, that kind of thing, where we wanted a web-based tool. [SPEAKER_03]: We wanted one that it was sitting on a server, everybody can connect to it, everybody has a browser. [SPEAKER_03]: It doesn't matter what the web browser is.
[SPEAKER_03]: Connect to the tool, use it, it's got a graphical user interface, you know, just like a client tool, but now I'm not installing Java on my laptop. [SPEAKER_03]: I'm not putting, you know, code on it from, from, uh, whoever, but in this case, this or whoever puts out the tool and then they update the tool and you're like, oh shoot, now I got to get the new version because mine's not working with this new checklist or, you know, scabscan is your whole [SPEAKER_04]: checklists.
[SPEAKER_04]: Oops, I forgot you emailed me an old one. [SPEAKER_04]: Now I lost that. [SPEAKER_04]: I don't have a back up. [SPEAKER_04]: I don't want to have this. [SPEAKER_04]: So you're all the all those problems go away. [SPEAKER_04]: Get your stuff done. [SPEAKER_04]: You get 90 percent of your time back just with our application. [SPEAKER_04]: What we do, we have a savings calculator or a website for that. [SPEAKER_04]: You get 90 percent of your time back.
[SPEAKER_04]: For some of these larger groups, like our big WD customer, it's in the millions of dollars that you could reallocate people in time or just like them. [SPEAKER_04]: They don't have all the people they need to do the job. [SPEAKER_04]: So you can automate most of that away, find the, find the bad data fix it, figure out where you are, get your compliance done, your assessor comes in, she sits down, she sees that all your data is structured.
[SPEAKER_04]: This is where I was, this is everything that we did, here's our, you know, we have a journal in essence, we have like an accounting letter, here's everything I did, here's all my burn down charts, here's my poem, here's my mitigations, here's all my checklist, here's my SSP, my saw, my rarer, here's all my data structure right here for you, [SPEAKER_04]: There you go, she comes in, she already likes you. [SPEAKER_04]: Because you just made her job easier.
[SPEAKER_04]: So instead of five days or a week and a half, she's there for like two and a half, three days, and she can know exactly what you've done. [SPEAKER_03]: Because she can already validate part of the controls too. [SPEAKER_03]: Your configuration management's there. [SPEAKER_03]: Your continuous monitoring's there. [SPEAKER_03]: I can see that you guys didn't start fixing things three days before I showed up. [SPEAKER_03]: I can see that it's been there.
[SPEAKER_03]: Yeah, I got a lot to see. [SPEAKER_03]: Sometimes that happens, you know. [SPEAKER_03]: Right, but this, this proves to have validated walking in. [SPEAKER_03]: If you're the, if you're the, if you're the assessor coming in, you can go into open RMF professional, open it up and say, I want to see the history of your checklist. [SPEAKER_03]: Oh, look, I can see where it's been improving over the last year versus versus two days ago. [SPEAKER_01]: Two days of three days.
[SPEAKER_01]: All right. [SPEAKER_04]: Yeah, and if they're away, if they're a third-party assessor and they're allowed through a VPN or whatever to access, they could do that remotely because it's in my base.
¶ "Web-Based Third-Party Assessments"
[SPEAKER_04]: And you're not emailing them 80 megabytes versus, you know, it's web-based, it's right there, click some buttons, download some stuff. [SPEAKER_04]: We've also seen, there's a group of embossed and that's using our application to end in the guitar group, there's your application. [SPEAKER_04]: So if they have open-on app pro there, they have all the stuff for the people. [SPEAKER_04]: And then they start a new, we call it a system package.
[SPEAKER_04]: They start a new accreditation package, and they sample some of their data through it in, and then they can compare the two to see is a real or not for like a third-party assessment. [SPEAKER_04]: Before you either go to your, your scour, you go for your real assessment. [SPEAKER_03]: Well, even though if you were to be a group now, you even those two groups you're talking about.
[SPEAKER_03]: When we talked about people not understanding our MF, we have a group that's still in the training and stuff and using our tool for that with the guitar group. [SPEAKER_03]: They don't only can't even spell RMF or an A-star. [SPEAKER_04]: Yeah, for military sale group talking to the federal government to get stuff done. [SPEAKER_04]: The federal government says, we need you to do our math. [SPEAKER_04]: And like, what is that? [SPEAKER_04]: Well, what's our math?
[SPEAKER_04]: What is RMF right so just getting people that aren't familiar with it to understand it and again know that they like that It was simple they like they they could do their scans they could load it in there They can understand it the government group that's using it like it and then their four military Say or group can use it and they can do what they're doing or where they stand before they have a connect up a due business and then the flip side of that as well We got a group in
[SPEAKER_04]: France that's using our application get all their stuff right because they want to sell military equipment to like VADHA and others So the same thing they have to supply all that data through our math to their federal government to sell to the government How did they do that right now? [SPEAKER_04]: They do it all with a big a sales spreadsheet.
[SPEAKER_04]: That's three cigarettes everybody's trying to access and they to blows up [SPEAKER_01]: So so you we're gonna hold that point. [SPEAKER_01]: So so overall like what have you noticed at the government's use and they're not using software Like you said they use an Excel sheets a lot of them. [SPEAKER_04]: Oh, yes, it's a good Excel.
[SPEAKER_04]: We're a PDF Yeah, and then you're using e-mas, but there's this small subset of people that get to e-mas [SPEAKER_04]: It's not a whole team has to help you get the data. [SPEAKER_04]: No, and go into it. [SPEAKER_04]: So that's where we've referred in to collaborate to get the data correct before it goes into emails. [SPEAKER_04]: I think a lot of the groups are using, right now, a lot of the groups are using file based stuff.
[SPEAKER_04]: Yes, even it's 2026. [SPEAKER_01]: And that's not secure, right? [SPEAKER_01]: And that's not really secure to, like, stay and put in a stay. [SPEAKER_03]: I mean, it isn't, it's not. [SPEAKER_03]: I mean, if you think about it, you're passing it through secure emails, especially if you're working for, like, DOD or something like that, they have their own secure email system. [SPEAKER_03]: But the big thing is, is I email you a checklist, and then I sent you the old one.
[SPEAKER_05]: Yeah. [SPEAKER_03]: You know, when I was supposed to update it, you can't keep track of what the latest version is, things to that nature. [SPEAKER_03]: So then we even did it back at Naviode Detective. [SPEAKER_03]: We had a folder, share, on a server. [SPEAKER_03]: So it was like, hey, put your checklist in here and then we were trying to put new dates on folders to keep track of who's was what, but even that became convoluted.
[SPEAKER_03]: And then I got to take all that information and I got to update the poem. [SPEAKER_03]: Um, yeah, manually. [SPEAKER_04]: So, and it's annoying. [SPEAKER_04]: So, our one customer had four thousand devices in 25,000 checklists in one massive infrastructure at you. [SPEAKER_04]: So, tell me how they were validating the house. [SPEAKER_01]: Yeah. [SPEAKER_01]: That's too much, man. [SPEAKER_01]: I don't know. [SPEAKER_01]: And we've had other groups. [SPEAKER_04]: Automating that.
[SPEAKER_04]: Even us going through generating all that through our, um, our compliance engine, it went through [SPEAKER_01]: Oh, what if I'm not? [SPEAKER_04]: Yeah, which isn't, I mean, it's a while. [SPEAKER_04]: But do we do all the checklists, all their inherited controls, all the compliance payments, all the controls to the CCI, blah, blah, blah, blah, blah, blah, source.
[SPEAKER_04]: It's a then five days just to go through all of the checklists to do what version of Stig and type the head to give their assessor to know what she was walking into. [SPEAKER_04]: That's not even a compliance. [SPEAKER_04]: So we do that reportedly five seconds. [SPEAKER_03]: Well, in a giving them another way, these customers ask us for reports. [SPEAKER_03]: You know, we had reports already in there, but we'd take customer feedback.
[SPEAKER_03]: One of them was, you know, how do I know that when they filled out the checklist, they closed this is not a finding, did they put any details or comments and if they haven't? [SPEAKER_03]: We built a report. [SPEAKER_03]: I mean, they'll took on one himself that the development scene went out of. [SPEAKER_04]: I didn't sound that they marked it either, not applicable or not are finding, but no comments or details. [SPEAKER_04]: There's a click the button is his save and center one.
[SPEAKER_04]: So he stopped them and said, you need to fill in your data correctly or our interest. [SPEAKER_01]: So, nothing I'm learning now, like a lot of these government industry, they want deliverables. [SPEAKER_01]: So, y'all tracking those deliverables that send it to them. [SPEAKER_01]: That's just, yeah. [SPEAKER_04]: Right, yeah. [SPEAKER_04]: So, you can do your artifacts like emails and other stuff.
[SPEAKER_04]: But even your monthly schedules and some other stuff, you can download your burnout chart. [SPEAKER_04]: You can download your activity report. [SPEAKER_04]: You can download a lot of this and show that what they're doing as well. [SPEAKER_04]: We have a download of a PowerPoint presentation. [SPEAKER_03]: Yeah, that has a date in it.
[SPEAKER_04]: Just those who sat plus my numbers, this my burned down, like these are all the controls, this is the percentage that I meet all these controls and the control families, you know, put your design on it and hit a five and go. [SPEAKER_01]: Okay, that's good, because there's another thing I was going to hit on is like, with documentation. [SPEAKER_01]: We know a lot of people are mainly doing documentation. [SPEAKER_01]: We don't know what was going on.
[SPEAKER_01]: There's your software help with that. [SPEAKER_04]: Right now, it helps some with the SSP list of controls and other stuff. [SPEAKER_04]: The poem, or your checklist, you know, they can be exportable, you know, to a CQL CQL, be or the person asked the other day. [SPEAKER_04]: If they don't have the checklist viewer, uh, export it to Excel and throw it out.
[SPEAKER_03]: Yeah, so it does that kind of stuff and arc solve exports are color coded so like you know looking at it What's closed? [SPEAKER_03]: What's open? [SPEAKER_03]: What's cat one? [SPEAKER_03]: What's cat two? [SPEAKER_04]: Right. [SPEAKER_04]: Yeah, so there's there's a test plan summary We're not on a point yet. [SPEAKER_04]: We're regenerating the full 200 page SSP and people print out the nobody ever read Yeah, the no-one.
[SPEAKER_04]: Yeah, no while well, you some yeah, we're working for yeah We all working towards having some of the the link up with like elastic and some other stuff
¶ Automation and Data Integration Progress
[SPEAKER_04]: We're also working to be able to take all that data through an insertion, and generate your statements from your documentation, so you're not fat-fingered in tight. [SPEAKER_04]: So it learns from it. [SPEAKER_04]: So we're working towards that as well. [SPEAKER_04]: Again, shrink your timeframe, make the data as true as possible. [SPEAKER_01]: and automate off of it and automate the whole thing. [SPEAKER_01]: That's what we're going to an RMS place.
[SPEAKER_01]: You have no choice. [SPEAKER_01]: You can't do a CTO. [SPEAKER_01]: Because even they told me to see the CTO, which I think she was the ODO, I forgot her name, Cathy. [SPEAKER_01]: Cathy was the ODO WC. [SPEAKER_04]: They went your data for specifically for software around like container images for your S-bomb and off. [SPEAKER_03]: Which we also take in. [SPEAKER_04]: And that's a preliminary. [SPEAKER_04]: You still got to do all the other stuff.
[SPEAKER_04]: That's just the gatekeeper to do that. [SPEAKER_04]: So we're working towards that. [SPEAKER_04]: We're actually working towards that. [SPEAKER_04]: I love her concept. [SPEAKER_04]: We're working towards that concept for the whole ATO. [SPEAKER_04]: to give me all my data to throw it is, do they need to do all the reporting around all of that?
[SPEAKER_04]: What are the thresholds I'm allowed to meet on now allowed to meet, to even go through the preliminary one to say, hey, there's a preliminary to, now I can ask you to talk to my assessor. [SPEAKER_04]: You shouldn't have people mainly doing it. [SPEAKER_04]: We're gonna automate that as well, I'm completely happy to. [SPEAKER_01]: So a couple more questions. [SPEAKER_01]: What is the future of RMF right now?
[SPEAKER_01]: Keyak, tell me I'm playing English, and also bringing a little bit of a fed rap and the S-bombs, anything like that. [SPEAKER_04]: Yeah, so what we're working towards, we're working towards, like you talked about, working towards continuous ATF, we've been working towards that for a while. [SPEAKER_04]: We've been, we've literally been talking about that for about four years.
[SPEAKER_04]: So what we're working on now, hey, yeah, we have the foundation with open on my professor, and that's your compliance piece. [SPEAKER_04]: For the last several months, almost a year, several months, we've worked with Elastic. [SPEAKER_04]: The company Elastic, Elastic.CO. [SPEAKER_04]: We've worked with Elastic with their Elastic Seams, so security incident event management. [SPEAKER_04]: So we've been working with them to, okay, here's the compliance.
[SPEAKER_04]: Elastic Seams takes in all your data and then they have some machine learning pieces they put in to bubble up. [SPEAKER_04]: What are the actual issues that notify you? [SPEAKER_04]: They broke that down all the way down with we worked with them all the way down to the CCI level so those dashboards roll up to any framework. [SPEAKER_04]: You know, Lady Tau, Fed ran a CMMC RMF. [SPEAKER_04]: So you actually bubble those up. [SPEAKER_04]: That tells you what exactly is going on.
[SPEAKER_04]: That is going to automatically feed back into our application and attract the history of that across your CCIs for your hostings and all that. [SPEAKER_04]: So that's more continuous right there. [SPEAKER_04]: You also have some of the other pieces that they have that's great is they can link in multiple LLL and Flaude's language models.
¶ Automated Cybersecurity and Data Integration
[SPEAKER_04]: So we've been, again, working with them to take documentation and put documentation in there, taking all of our data, putting our data in there, and then asking questions around your HEO, or even your whole portfolio of everything. [SPEAKER_04]: Ask your questions, interacting with chat bots and essence. [SPEAKER_04]: Asking a question, interviewing, interviewing, basically, [SPEAKER_04]: your accreditation page, you know exactly what's going on, you know, what is happening.
[SPEAKER_04]: I can actually ask a question and not know all the art, you know, the RMF AC-2-3-5-B-1-X-Y-Z. [SPEAKER_04]: I can actually ask some of that data and then get that data back. [SPEAKER_04]: That also, that putting all that together. [SPEAKER_04]: You're putting all the data into the system that has your elastic seam data, your cybersecurity, your cybersecurity compliant strategy, putting all that in there.
[SPEAKER_04]: When you have all that and you can automate around it, you can do, I mean, if you want to think far out, you could do virtual property. [SPEAKER_04]: You could take that into a digital swan or a parent child relationship and then attack that. [SPEAKER_04]: You could do so much more when that data is collective and automated around that.
¶ Automated Data Management Possibilities
[SPEAKER_04]: There's so many more things you could automate, you save yourself out to S3 Glacier Storage, automatically. [SPEAKER_04]: There's so many things you could do around that that we talked to people on, but automating, getting to the point of doing it on that. [SPEAKER_04]: And you can do that whether it's cloud-based or we're not assessed or a purpose. [SPEAKER_04]: But you could take our software and do that.
[SPEAKER_04]: So cloud-based hybrid or premise, air-gapped, any of that kind of stuff, all of what I just said with their software and combination, we could do that. [SPEAKER_04]: And again, get to the continuous automation and know exactly what's going on with your system. [SPEAKER_04]: Generated documentation, we knew needed, hit the button, and generate an ask out, compliance is code, and it's send that out to get approval, or get the two organizations to lead up and relate.
[SPEAKER_04]: All of that, once your data is in one spot, an automated, all of that's possible. [SPEAKER_03]: And we've had a lot of customers that have told us too that the fact that we're not cloud, we're not a SaaS, that they can keep their data, they manage their data, they handle their data, it doesn't talk back to us at all, it doesn't go out to any other interface. [SPEAKER_03]: Because why would I want to have my security information?
[SPEAKER_03]: All of the bells, whistles, and details sitting out in a cloud service. [SPEAKER_03]: Especially when my infrastructure might be in that cloud service.
[SPEAKER_03]: not everybody wants that and those to do that's fine I totally get that and I'm not saying they're not secure but a lot of people want that separated they want all the bells and whistles kept together because those are answers it's kind of like having all your financial information if you don't want the bank having all of it you want your mortgage company having your mortgage you want your bank having your bank you want them separated that kind of thing
[SPEAKER_04]: Yeah, so we have that the other go back to some of the FMS people that's a that's a group of people We didn't even know we were trying to serve by frankly, but they won their stuff in their own country Okay, just there. [SPEAKER_01]: I got you know, yeah, they don't want to share with somebody else [SPEAKER_04]: I mean, if I'm in Belgium, I want it in Belgium, but I'm in France, I want it in France. [SPEAKER_04]: So that's another thing that was interesting come into.
[SPEAKER_04]: And then again, a lot of those companies, we are in country, people outside of the countries we've talked to, again, are still doing this manually. [SPEAKER_04]: So automating it and then using that as a foundation to bring in your telemetry data, your security data, no exactly what's going on, your figure, and all, whatever, be given to have all that in one spot, [SPEAKER_01]: And that's what the future has to be. [SPEAKER_01]: We can't do manuals.
[SPEAKER_04]: There is no other option to do that. [SPEAKER_01]: And with AI and all this stuff coming, we got to make sure we have this continuously going. [SPEAKER_01]: And I wanted to. [SPEAKER_04]: Yeah, the other thing that's interested with our application, we've just started to talk to people about, is if you're going to automate around your data, it better be right. [SPEAKER_04]: It'd better be clean.
[SPEAKER_04]: So the other thing that we have is, you know, you're going through, you're looking at your data, you're going to automate around you. [SPEAKER_04]: You're looking at your data, it comes from your truthful scans. [SPEAKER_04]: It's coming from your, your application. [SPEAKER_04]: It's coming in. [SPEAKER_04]: It's not me asking, it's, it's admin. [SPEAKER_04]: Hey, what is the answer to blah, blah, blah? [SPEAKER_04]: We're looking at it from the actual real data.
[SPEAKER_04]: And that comes in. [SPEAKER_04]: And the data is clean. [SPEAKER_04]: Everybody's collaborating around the, the data is truthful. [SPEAKER_04]: Now you can actually automate around it and have trust us. [SPEAKER_04]: Which is another big deal. [SPEAKER_04]: That's, that's good. [SPEAKER_04]: That's powerful. [SPEAKER_01]: And also, too, which I saw where you couldn't use of a training, also, right?
[SPEAKER_01]: Yeah. [SPEAKER_01]: And I think I make that publicly known in our website, and the journey. [SPEAKER_03]: Yeah, we don't make a big deal, a lot of our website, but we do. [SPEAKER_03]: We have a complete academy. [SPEAKER_03]: I mean, and people can go in and purchase training if they want right off the academy. [SPEAKER_04]: comes with the software that you can purchase well.
[SPEAKER_03]: Yeah. [SPEAKER_04]: It teaches you how to teach your arm out, but teaches your arm out from around our application and it simplifies it because Dave understands, Dave is unique and the fact that Dave understands the technical and the policy and procedure side. [SPEAKER_04]: Usually you talk to somebody, it's one of the other. [SPEAKER_04]: Well, and I always know there's most of you wanting to train because it just makes sense. [SPEAKER_03]: And I appreciate that.
[SPEAKER_03]: I mean, Dale's known me for 20 some years. [SPEAKER_03]: So I always joke, I said, I've had people and I'm not a big head person, but you know, I've had people say you're really smart. [SPEAKER_03]: I'm not. [SPEAKER_03]: I'm extremely lazy. [SPEAKER_03]: I want to figure out how to do a better way. [SPEAKER_03]: You can smart, exactly. [SPEAKER_03]: I can be a nice thing. [SPEAKER_03]: And that's the thing.
¶ "Automating for Efficiency"
[SPEAKER_03]: I worked with people all the time. [SPEAKER_03]: We used to write these, you know, or do these things manually. [SPEAKER_03]: And I'd look at one of my team members that I knew was good at scripting. [SPEAKER_03]: And I was like, how do we automate this? [SPEAKER_03]: Can you write a script to do that? [SPEAKER_03]: And I think all of that history between the two of us, like he said, we mesh together, is where this idea came from.
[SPEAKER_03]: It was all those different things of why do we keep doing things this way? [SPEAKER_03]: It should be better. [SPEAKER_03]: Okay. [SPEAKER_03]: So, but on the training side, I mean, I went to California that the group we were talking about, we met with them, the Qataris for that foreign military sales. [SPEAKER_03]: One day, [SPEAKER_03]: They couldn't spell RML. [SPEAKER_03]: One day of me just showing them the product. [SPEAKER_03]: It wasn't going through a full training class.
[SPEAKER_03]: But showing them how to inject scans when how they would get their information. [SPEAKER_03]: And they were like, wait a minute. [SPEAKER_03]: Now we know how this works. [SPEAKER_03]: They already had a foundation. [SPEAKER_04]: Those are the blood pressure in the room as well, so that you can comprehend it and it's not just some big things to be able to follow in here.
[SPEAKER_01]: So now also some of my like and using a software to actually train like show them like oh yeah just do the training or just do the training It's combination things. [SPEAKER_03]: We have people that take the tool And they do training with it the the the the kataris was kind of that boat. [SPEAKER_03]: I came in with my laptop dropped it down Brought it up spun it up showed it to you They were using it.
[SPEAKER_04]: Yeah, meeting with them [SPEAKER_04]: He actually got them to start using it and get comfortable with it. [SPEAKER_03]: And they were asking questions, like they were getting it because they were good questions. [SPEAKER_03]: That's in a day. [SPEAKER_03]: Taking that on, for instance, now I go out to a group in California, the one customer we talked about, their large organization. [SPEAKER_03]: I had 175 people in a video chat room, I think it was.
[SPEAKER_03]: So some people were remote, some were sitting there in the classroom, so I'm training
[SPEAKER_03]: And in the questions that were coming out of it, but there weren't a lot of questions because they were getting it as they were seeing you on the screen and seeing it because the thing I've learned from training people, you know, use Excel sheets and things if they can actually see it and see me and don't you'll get it in two seconds and get rid of the Excel show them how it all for late.
[SPEAKER_04]: So the one training class, some of the people were remote but there were some people there and we gave them access to our demo site So they were basically logging in with their own permissions load enough their sample files Seeing all the things play out clicking on stuff down low stuff Chanted things how does this report work? [SPEAKER_04]: How does that work? [SPEAKER_04]: So yeah, it also again It lowers the blood pressure in the room around arm F because you have to do it.
[SPEAKER_04]: Do you have to do I have you have to do it? [SPEAKER_04]: No, so I can't do it well [SPEAKER_03]: I mean, imagine just having a CIS-AB and I don't mean to put down a CIS-AB and I was one at one time. [SPEAKER_03]: But my job is just to take care of these 12 servers. [SPEAKER_03]: So I threw my stuff up and opened our professional and my system package. [SPEAKER_03]: And I've got all my information, I got it created my checklist automatically off of their scans.
[SPEAKER_03]: I didn't have to do the ones he Tuesday at a time, make 25 at a time, boom, move over, hit compliance. [SPEAKER_03]: And then I see where my data applies to getting us compliant. [SPEAKER_03]: I see it all the way through the entire process with the way the data correlates together. [SPEAKER_03]: That's a training session in itself, and that person could be sitting there in their own room by themselves on the tool. [SPEAKER_03]: It's remarkable.
[SPEAKER_04]: Yeah, they understand what their sister was telling them. [SPEAKER_04]: Yeah, that's what they'd make. [SPEAKER_01]: You see the light bulbs for that? [SPEAKER_04]: I thought of the team does. [SPEAKER_04]: Yeah, okay, that makes it more sense. [SPEAKER_01]: Yeah, I got me excited. [SPEAKER_01]: Nah, make sure you got to take them out.
[SPEAKER_01]: Um, this is the one thing I was wanting to... What is one thing you want to let the audience know about compliance and what the future is?
¶ Automated Compliance with Elastic SIEM
[SPEAKER_04]: Um, I'm actually, honestly, I'm excited what Dave's working on with Elastic. [SPEAKER_04]: So the fact that you, we, we, we built the foundation to automate compliance, but that's still a snapshot moment in time. [SPEAKER_04]: Taking the, the thing like Elastic scene. [SPEAKER_04]: They're not the only one, but taking Elastic scene and taking that data, learning from it and having to automatically apply back in update your compliance to know exactly what you are.
[SPEAKER_04]: That's a B1 and then using some of the, um, the fact of using some of their search. [SPEAKER_04]: So we have some bait is, um, you know, the proof of cost that we've done. [SPEAKER_04]: But take it all day. [SPEAKER_04]: So you're all your whole portfolio of 25, 30, 80, 150 HUs.
[SPEAKER_04]: So in that all into their search engine, doing drag search, your retrieve augmentation, but doing context around the data with your same data, and your compliance data, and being able to see everything around your whole network and all your compliance data, and being able to ask questions, ask questions you had neither thought of it, make that come back and teach you stuff. [SPEAKER_04]: It's really frickin' cool to see, man.
[SPEAKER_04]: It's really, really, it's cool to see as a technical geek, number one. [SPEAKER_04]: Go number two, being in the space forever. [SPEAKER_04]: It's cool to see you get answers back quickly, which means you can go back and fix stuff quicker. [SPEAKER_04]: Versus every week or two or three, or hey, my checklist had been updated in four weeks. [SPEAKER_04]: I probably should run a new scan.
[SPEAKER_04]: You know, we got people all inmate in scans and then running it with Python into our API and updating and then you ligand elastic seam and some of the searching. [SPEAKER_04]: It makes the assessors job better and everybody else is better in the shows you truly what you have in front of your own hands. [SPEAKER_04]: Again, RMF, CMFC, CSF, you know, U.S.E, XYZ. [SPEAKER_04]: Better on, right? [SPEAKER_04]: Yeah, you got it.
[SPEAKER_03]: Well, and I think the big thing with me, it's funny. [SPEAKER_03]: I like the automation that I'm starting to see in the software side of things, because I think forever it's been the Sissabments and network admins. [SPEAKER_03]: The developers have been doing their things off the side, hey, install this application on the server, get it up and running, and then we're like, wait, we got problems.
[SPEAKER_03]: Everything else is secure, but we didn't know that this was important within the software. [SPEAKER_03]: And by the way, the software is what somebody's attaching to. [SPEAKER_03]: There's the open port, four, four, three, or 80, or 80, but the things that are coming
¶ "Enhanced Layered Security Compliance"
[SPEAKER_03]: and pulling in, they can do software container scans, they can give you the hatch information as bombs on the bottom. [SPEAKER_03]: And we can import that information in. [SPEAKER_03]: So now it's in your package. [SPEAKER_03]: So now you can look at your ATO, and everybody's talked about this for so many years, the layered security approach. [SPEAKER_03]: Well, before, [SPEAKER_03]: I just had checklists.
[SPEAKER_03]: I just thought, okay, everything's locked down, at least that's what I've got off my scans and what I put in here. [SPEAKER_03]: But now I can look at the software layer. [SPEAKER_03]: I can look at the system layer. [SPEAKER_03]: I can look at the OS, the Chrome, the OS, or excuse me, the browsers. [SPEAKER_03]: And I can see that everything is meeting the compliance standard that we're expected to meet.
[SPEAKER_03]: And I think that's huge and to be able to automate that through and get secure containers from one platform and some of these new
[SPEAKER_04]: But also ingesting that information and throwing it into your package so now you've got I let layered security information Yeah, that's awesome because everything you are application is 100% containerized So a lot more coming from that does a lot more wrapped into it a lot even me when I was first starting out a lot of developers You grab an image in your room with it. [SPEAKER_04]: It's open source [SPEAKER_04]: Who the heck built it? [SPEAKER_04]: Well, what did they put it in?
[SPEAKER_04]: What did they do? [SPEAKER_04]: Well, what is running what's not their software where we'll let you profile it until you got you. [SPEAKER_04]: 80 packages in your image, you're only using 30 up. [SPEAKER_04]: Get rid of 50, get rid of your CVEs, shrink your size, shrink your attack vector. [SPEAKER_04]: Now your software is more secure. [SPEAKER_04]: And if you use your butt to edge or edge or base image, do a disaskant on your image.
[SPEAKER_04]: And then we make that a checklist for you. [SPEAKER_04]: That's crazy, but that's where it should. [SPEAKER_03]: And I think that's a big thing. [SPEAKER_03]: We took what we preach and we implemented it in our product. [SPEAKER_03]: We're doing it. [SPEAKER_03]: So when you're getting it, you're getting the secure product we possibly can make.
[SPEAKER_03]: And we're using all these capabilities that we're now injecting their information or importing their information to show you what you can do. [SPEAKER_04]: It's really cool to see. [SPEAKER_04]: It's just singing while to get here, but it's cool to see, but what you're talking about that continues to you, we have to go there. [SPEAKER_01]: Yeah, we have to go there. [SPEAKER_01]: Yeah, we have to go there. [SPEAKER_01]: Mm-hmm.
[SPEAKER_01]: Yeah. [SPEAKER_01]: So the man, we get it on time, but I just want to, y'all, y'all, I ain't gonna lie. [SPEAKER_01]: This part of this podcast has really took my brain to it. [SPEAKER_01]: My brain is literally getting a headache from the knowledge. [SPEAKER_01]: Like literally, like, it's like, man, I got to look this up. [SPEAKER_01]: And what's art?
[SPEAKER_01]: Once I get some time to digest it, I've got to make an audience and just want to let you know if you're watching this, it's hard to get education like this. [SPEAKER_01]: So just make sure you digest it because this is really a good treat. [SPEAKER_01]: Yeah. [SPEAKER_01]: Yeah. [SPEAKER_01]: Put in AI2. [SPEAKER_01]: Where can an audience find your software? [SPEAKER_01]: Where can they find you? [SPEAKER_04]: So satiriasoftware.com.
[SPEAKER_04]: So if you search for OpenRMF, all one word, OPE, and OpenRMF Professional, we come up. [SPEAKER_04]: So satiria, it's right here, satiriasoftware.com. [SPEAKER_04]: So you can go, we do lab demos for people. [SPEAKER_04]: We sit down and we bring them from customers. [SPEAKER_04]: You can download our application into your own evaluation, fulling 100% for 30 days. [SPEAKER_04]: And in our licensing model, it was nice and simple. [SPEAKER_04]: That's the other thing.
[SPEAKER_04]: So how many installs you have? [SPEAKER_04]: How many credit issues packages do you have to send to it? [SPEAKER_04]: So it's not the 300 odd hour person. [SPEAKER_04]: And it's not pay for each endpoint. [SPEAKER_04]: It's not pay for each doc, man, whatever. [SPEAKER_02]: Or how many CPUs in memory you're running? [SPEAKER_04]: Yeah, there's obligos from like 5,000 or 5,000. [SPEAKER_04]: God, our stays were supposed to be, so it's just nice and simple. [SPEAKER_01]: Yeah, yeah.
[SPEAKER_01]: So also, too, what is one thing that you want to lead to audience with? [SPEAKER_03]: Wow. [SPEAKER_03]: You know, honestly, I don't know.
¶ "Improving RMF and Education"
[SPEAKER_03]: I think it's the combination of all the information we've talked about. [SPEAKER_03]: We need to make RMS simpler. [SPEAKER_03]: We need to educate people. [SPEAKER_03]: And it's got to be done in a streamlined fashion. [SPEAKER_03]: Dale and I've talked about just real quick, even as a developer going through college, or even me going through getting a cybersecurity degree. [SPEAKER_03]: We weren't taught the application of the information.
[SPEAKER_03]: We were just taught the general specifics that the commonalities or the structure of what we were supposed to learn, not how to apply it, and then not how do we work together from our different degrees of information. [SPEAKER_03]: And I think that's one of the key things we need to look at our education system and how it could improve as well. [SPEAKER_04]: Yeah, we have a lot of quick snippet videos. [SPEAKER_04]: We do the quick ones when we're leaked in.
[SPEAKER_04]: We actually have videos on us talking with Elastic on how Elastic scene can link back to us. [SPEAKER_04]: We have a series of that days working on. [SPEAKER_01]: Yeah, we have a YouTube channel. [SPEAKER_04]: Yeah, that's linked on our website. [SPEAKER_01]: Your website too. [SPEAKER_01]: Your website has a lot of content. [SPEAKER_04]: That's a lot of stuff.
[SPEAKER_04]: I mean, I was the live demo, interact with your demo for us, or download and evaluate it and run it yourself and you see for yourself, it works for you. [SPEAKER_04]: That's what I would say. [SPEAKER_01]: Well, thank you both, thank you, Dale, thank you David, thank you. [SPEAKER_01]: Great to see you. [SPEAKER_01]: I'm really excited. [SPEAKER_01]: I'm glad I met you, man. [SPEAKER_01]: I thought I got, I'm going to do a new level with knowledge, man.
[SPEAKER_01]: So, [SPEAKER_01]: Thank you all for having me all. [SPEAKER_01]: If you're watching on YouTube and you're trying to digest this, make sure you check out our our method Academy.io so you can make sure you get a lot of this knowledge breaking down. [SPEAKER_01]: If you're on YouTube, make sure you like the video, subscribe to the channel, share the video, and remember everybody, get 1% better every day. [SPEAKER_01]: Peace out, I'll see you on next one.
[SPEAKER_05]: All right, thank you. [SPEAKER_05]: Thank you.