00:00:00:00 - 00:00:00:23 Good morning. 00:00:00:23 - 00:00:02:15 good afternoon, everybody. 00:00:02:15 - 00:00:08:08 Thank you, Michaela, for the opportunity to present the ATO as code program. 00:00:08:13 - 00:00:11:10 project, I should say, as part of the ACT-IAC 00:00:11:10 - 00:00:13:21 cybersecurity community of interest. 00:00:13:22 - 00:00:17:24 again, I'm GP, I’m a member of the 00:00:17:24 - 00:00:21:09 cybersecurity community of interest as part of the ACT-IAC. 00:00:21:09 - 00:00:22:02 community. 00:00:22:02 - 00:00:27:23 And, it gives me great pleasure to have, our industry, I'm the industry leader. 00:00:27:23 - 00:00:33:18 And so, the, the program sponsor from, the federal agency, 00:00:34:05 - 00:00:36:13 OPM, who really sort of, 00:00:36:13 - 00:00:39:04 identified this project and has been supporting it 00:00:39:04 - 00:00:44:12 by providing the mission requirements is, Dan Jacobs here, who is from OPM. 00:00:44:12 - 00:00:47:23 So, Dan and I will, tag team, 00:00:48:12 - 00:00:52:06 and also, you know, I think a lot of the folks, 00:00:52:15 - 00:00:56:09 in the community within ACT-IAC are actually members of this group, 00:00:56:09 - 00:00:59:23 and they have been instrumental in, you know, getting this, 00:00:59:23 - 00:01:03:11 ATO as Code project to the state where it is. 00:01:03:11 - 00:01:05:15 So, again, it's a community effort. 00:01:05:15 - 00:01:08:22 And, I personally am probably just the spokesperson, 00:01:09:08 - 00:01:12:04 echoing the work of, everybody involved. So, 00:01:12:08 - 00:01:15:08 what we'll do is we'll sort of introduce the project to you. 00:01:15:14 - 00:01:18:14 also do a little bit of a shameless plug 00:01:18:17 - 00:01:21:20 about the cyber security, community of interest. 00:01:21:20 - 00:01:26:08 If, you're into ATOs and, you know, all fun stuff, 00:01:26:08 - 00:01:29:21 then we'd encourage you to join, that community again. 00:01:29:21 - 00:01:32:02 It's a great place to do great work. 00:01:32:02 - 00:01:36:23 with that said, Dan, wanted to see if you would like to kick off 00:01:37:10 - 00:01:40:16 the proceedings by offering, you know, your perspective 00:01:41:04 - 00:01:44:03 on, you know, what sort of drove you to this project. 00:01:44:05 - 00:01:46:17 So I was wondering for the audience if you might, 00:01:46:17 - 00:01:48:15 you know, maybe go and set the stage 00:01:48:16 - 00:01:48:24 Sure 00:01:48:24 - 00:01:52:05 Thanks, GP and thank you Michaela, I appreciate the opportunity to be here. 00:01:52:06 - 00:01:53:18 How we got here? 00:01:53:18 - 00:01:58:10 for those of you who know, OPM, recently, like three years ago, 00:01:58:14 - 00:02:01:19 brought aboard Guy Cavallo, who was, effectively 00:02:01:19 - 00:02:05:14 a powerhouse in Maria Road at the small business, administration, 00:02:06:02 - 00:02:10:14 where they basically just completely moved everything that they could 00:02:10:14 - 00:02:14:15 if it moved, in the data center, they they moved it to the cloud. 00:02:15:05 - 00:02:18:15 And he came to OPM, which at that time, 00:02:18:15 - 00:02:21:16 was relatively from an IT perspective, a, 00:02:22:16 - 00:02:26:18 a museum piece that, was highly secure, 00:02:26:20 - 00:02:30:14 based on, some of the previous, issues that we've had. 00:02:30:23 - 00:02:33:11 but was not fully modernized at all 00:02:33:11 - 00:02:37:20 And so Guy created, our first cloud instance 00:02:38:01 - 00:02:42:13 and then established a sprint to the cloud and said, look, we've got two years. 00:02:42:13 - 00:02:44:00 I want to empty out my data center. 00:02:44:00 - 00:02:48:00 In two years, all applications, including the mainframe, go. 00:02:48:23 - 00:02:50:07 Now, we're not going to make that. 00:02:50:07 - 00:02:55:12 But, we have moved a significant number of workloads, but that creates a problem. 00:02:55:23 - 00:03:00:23 And the problem is that, if you follow, NIST guidelines at all, 00:03:01:05 - 00:03:03:05 what you're going to find is that move to the cloud 00:03:03:05 - 00:03:06:05 is probably going to necessitate a new ATO. 00:03:06:08 - 00:03:09:14 And when you are looking at within 2 to 3 years, 00:03:09:17 - 00:03:13:17 100% of your workloads, having to undergo an ATO, 00:03:13:17 - 00:03:16:22 and you have to learn how to not only secure the cloud 00:03:16:22 - 00:03:20:11 but O&M it from a cyber, O&M, your risk management, 00:03:20:21 - 00:03:24:20 from a cyber perspective in the cloud, for the first time ever. 00:03:25:02 - 00:03:27:19 That's an awful lot to ask one agency. 00:03:27:19 - 00:03:31:22 And so, I got a board and, started asking questions, 00:03:31:22 - 00:03:36:18 and it became kind of obvious to me that we needed something that would help us. 00:03:37:09 - 00:03:39:24 We needed a new way to approach some of the 00:03:39:24 - 00:03:43:00 some of these systemic ATO, ATO issues. 00:03:43:10 - 00:03:46:24 Even if we could bring in a two year old down to three months, 00:03:47:15 - 00:03:51:02 three months with 100% of our workload, we simply didn't have enough time. 00:03:51:02 - 00:03:52:03 There wasn't enough staff. 00:03:52:03 - 00:03:55:00 We couldn't fire enough people to solve this problem. 00:03:55:00 - 00:03:59:21 So I came up with this idea that, well, what if we could automate the ATO process? 00:03:59:21 - 00:04:03:08 those of you who have been around for a long time, years and years ago, 00:04:03:14 - 00:04:04:17 I think it was NGA 00:04:04:17 - 00:04:08:12 came out with a, a presentation that said, hey, we can do ATO in a day. 00:04:08:18 - 00:04:13:00 it was a great pitch for infrastructure as code amongst other technologies. 00:04:13:15 - 00:04:17:03 but it was really un-implementable at that point 00:04:17:03 - 00:04:20:06 for most people who didn't have a serious running start. 00:04:20:23 - 00:04:22:06 And so I said, look, 00:04:22:11 - 00:04:26:01 why don't we at least begin the conversation 00:04:26:03 - 00:04:28:08 to enable folks 00:04:28:08 - 00:04:31:17 to seriously look at how we can do 00:04:31:17 - 00:04:33:19 automation from 00:04:33:19 - 00:04:36:16 from a shift left perspective, 00:04:36:16 - 00:04:41:09 if we can build code or, I'm sorry, security into code. 00:04:42:05 - 00:04:47:11 If we can build compliance into code, if we can build infrastructure into code, 00:04:47:15 - 00:04:52:07 if we can, everything that we can do is shifting left and moving into code. 00:04:52:07 - 00:04:55:07 Why can't we do it from a risk management perspective as well? 00:04:55:17 - 00:04:58:17 So I came up with this idea where we're just going to call it ATO as code, 00:04:59:03 - 00:05:04:00 and I didn't have some miracle insight into how it would it would pan out. 00:05:04:10 - 00:05:09:02 But what I did have was a crystal clear requirement from an, from 00:05:09:02 - 00:05:13:22 a, CFO Act the agency that we needed something to help us. 00:05:14:06 - 00:05:18:20 And so I pitched the idea to ACT-IAC and it took a little bit. 00:05:18:20 - 00:05:20:20 It wasn't like an instant win. Right. 00:05:20:20 - 00:05:26:06 And it it took better than a year to come about and kind of formulate these ideas 00:05:26:18 - 00:05:29:24 with the cybersecurity community of interest to say, okay, 00:05:30:14 - 00:05:33:09 there's enough here to be able to move forward. 00:05:33:09 - 00:05:35:16 Let's just do some exploration. 00:05:35:16 - 00:05:39:20 And so what we have is effectively a, operational 00:05:39:20 - 00:05:43:19 maturity model as a first, as a first deliverable, 00:05:43:23 - 00:05:46:23 it seems like it's pretty lightweight. 00:05:47:00 - 00:05:47:19 On first blush. 00:05:47:19 - 00:05:50:08 You look at it, you're like, okay, a maturity model. 00:05:50:08 - 00:05:52:14 Everyone can do this. Everyone has done this. 00:05:52:14 - 00:05:53:22 I have a million of these. 00:05:53:22 - 00:05:56:05 But if you take a look at it. Right. 00:05:56:05 - 00:06:00:20 it's not a capability maturity model where you're just listing a tool. 00:06:00:20 - 00:06:04:22 Well, if you have the ability, to run this tool, then you're at level five. 00:06:05:10 - 00:06:06:13 It's not like that at all. 00:06:06:13 - 00:06:07:08 In fact, 00:06:07:08 - 00:06:11:10 we have full OSCAL implementation running your SSP, SARs, etc. 00:06:11:17 - 00:06:14:02 at level two. 00:06:14:02 - 00:06:17:02 So this is a much more of a broader enterprise 00:06:17:02 - 00:06:21:14 risk management perspective of how we're looking at the organization. 00:06:21:24 - 00:06:25:12 So I'm going to kick it back to GP so he can start with the 00:06:25:12 - 00:06:26:12 with the rest of it. 00:06:26:12 - 00:06:29:06 But if the answer is how do we get here? 00:06:29:06 - 00:06:33:21 the short answer is, well, I can't really I can't really do this alone. 00:06:34:00 - 00:06:35:05 We need help. 00:06:35:05 - 00:06:40:12 And come to find out, we put that, we put that request out to, ACT-IAC 00:06:40:13 - 00:06:42:18 and the rest of the community, 00:06:42:18 - 00:06:47:10 and there was an enormous amount of response, for those of you 00:06:47:10 - 00:06:51:10 who don't know me that well, I was on the, phase one for Zero Trust, 00:06:51:10 - 00:06:54:16 and I was the federal sponsor for, phase two zero trust. 00:06:55:13 - 00:06:58:18 we have three times the amount of support 00:06:59:03 - 00:07:02:04 for ATO as code as we did for zero trust. 00:07:02:04 - 00:07:04:23 And we've seen what's happened to zero trust over the last five years. 00:07:04:23 - 00:07:10:04 So there is an enormous groundswell and a need that we're working on making here. 00:07:10:10 - 00:07:14:02 And, our deliverable, I don't I don't want to steal a GP's thunder, 00:07:14:02 - 00:07:17:18 but our deliverable is basically just the tip 00:07:17:18 - 00:07:21:06 of the iceberg for the amount of work that has gone in underneath. 00:07:21:12 - 00:07:24:14 There's going to be some fantastic movement going forward here. 00:07:24:16 - 00:07:27:08 And it's all based on our ability to leverage OSCAL 00:07:27:08 - 00:07:29:21 So I'm going to shut up, let GP do his thing. 00:07:29:24 - 00:07:34:03 Thank you, Dan for that, really, insightful introduction. 00:07:34:17 - 00:07:40:08 So again, I would love to have you guys take a look at the participants here. 00:07:40:08 - 00:07:41:24 I'm sure you're very familiar with ACT-iAC. 00:07:41:24 - 00:07:45:15 Ask if you're not, as I said, a little bit of a shameless plug 00:07:45:15 - 00:07:48:22 about the amazing work the cybersecurity community of interest is doing. 00:07:49:15 - 00:07:52:08 again, this is just a screenshot from their page. 00:07:52:08 - 00:07:53:21 The link is up there. 00:07:53:21 - 00:07:56:08 some great, work that's been done. 00:07:56:08 - 00:07:59:18 Dan talked about, the cybersecurity, 00:07:59:21 - 00:08:03:02 you know, initiatives around zero trust. 00:08:03:14 - 00:08:07:02 again, everybody is looking at supply chain. 00:08:07:12 - 00:08:10:12 I, I, you know, I've had I've known I've been at, 00:08:10:12 - 00:08:12:00 you know, from an industry perspective. 00:08:12:00 - 00:08:18:01 I've been with ACT-IAC for a while, but I just have, met, really 00:08:18:01 - 00:08:21:03 kindred and, you know, fellow souls as being part of this, 00:08:21:03 - 00:08:22:12 cybersecurity community of interest. 00:08:22:12 - 00:08:26:08 So, again, encourage you to check it out and check out some of the phenomenal work 00:08:26:08 - 00:08:26:16 there. 00:08:26:16 - 00:08:31:21 Again, the ATO as code project is part of that community of interest. 00:08:31:21 - 00:08:35:17 So just to give you a little bit of a perspective on really 00:08:35:17 - 00:08:38:17 what we are trying to do in terms of ATO as code, 00:08:39:07 - 00:08:43:02 just to sort of set the stage, I think, Dan said it well, 00:08:43:14 - 00:08:47:01 If we look at the logical progression 00:08:47:06 - 00:08:52:11 of, modernization, cloud came along about ten, 15 years 00:08:52:11 - 00:08:56:21 ago, 2009 is when I did my first, cloud ATO. 00:08:57:07 - 00:09:00:04 And since then, you know, we've gone from, 00:09:00:04 - 00:09:04:03 cloud being sort of a data center replacement to looking at it 00:09:04:03 - 00:09:07:22 more in the context of, well, we've got infrastructure as code. 00:09:08:08 - 00:09:12:12 And as you look at that logical progression, and then OSCAL came along. 00:09:13:01 - 00:09:15:17 And so now we, in our view, 00:09:15:17 - 00:09:18:17 have a lot of the different components 00:09:18:18 - 00:09:24:03 that allow us to sort of take the final, step, which is go in and say, 00:09:24:10 - 00:09:28:18 can we go in and use these disparate tools and capabilities 00:09:28:18 - 00:09:31:18 like infrastructure as code, like OSCAL 00:09:31:24 - 00:09:35:00 and create a mission assurance solution? 00:09:35:20 - 00:09:37:13 hence the word ATO as code 00:09:37:13 - 00:09:40:13 And of course, credit Dan for coming up with that. 00:09:40:18 - 00:09:42:02 fantastic. 00:09:42:02 - 00:09:44:14 you know, name for this. 00:09:44:14 - 00:09:46:00 And so I think it's been exciting. 00:09:46:00 - 00:09:49:22 I'm sure there are other initiatives that are around us, 00:09:50:08 - 00:09:54:02 whether we call it ATO-in a day or continuous ATO or, 00:09:54:03 - 00:09:58:24 you know, using DevSecOps, we view all of those initiatives are all aligned 00:09:59:09 - 00:10:02:24 to solving the same problem, which is how do we go in and build in, 00:10:03:17 - 00:10:06:16 compliance and, you know, risk management 00:10:06:16 - 00:10:11:03 into the solution right from the beginning with the least amount of toil. 00:10:11:03 - 00:10:17:00 And so essentially, the idea behind ATO as code was to be an open solution 00:10:17:00 - 00:10:20:19 accelerator that really brings together disparate technologies. 00:10:21:03 - 00:10:24:04 again, it needs a lot of process experts. 00:10:24:04 - 00:10:27:23 you can't just get an ATO 00:10:27:23 - 00:10:32:03 There's some real, mission impact, if you get it wrong. 00:10:32:13 - 00:10:35:08 and also, can we go in and bring together different metrics? 00:10:35:08 - 00:10:35:14 Right. 00:10:35:14 - 00:10:38:15 So if I can go in, and, 00:10:38:15 - 00:10:42:10 reduce the time, and, you know, have cost avoidance 00:10:42:10 - 00:10:46:02 as part of the ATO process, then what does it mean? 00:10:46:13 - 00:10:51:19 you know, should what should be a benchmark, what should be an SLA? 00:10:51:19 - 00:10:54:00 Right. So those are interesting questions. 00:10:54:00 - 00:10:57:10 I also had the privilege of interacting with a lot of smart people. 00:10:57:10 - 00:11:01:20 And so, as part of this project and so, again, we brought all of these disparate, 00:11:01:21 - 00:11:04:17 skill sets together to go and and deliver our mission assurance. 00:11:04:17 - 00:11:07:10 So that was sort of the objective of the project. 00:11:07:13 - 00:11:09:21 So if you look at how we sort of got here, 00:11:09:21 - 00:11:15:01 the project has taken about, over, I would say about 14 months 00:11:15:01 - 00:11:18:08 when we kicked this off, in March of last year. 00:11:18:10 - 00:11:21:08 and what's been amazing to me is just the, 00:11:21:08 - 00:11:25:09 the continued participation, energy and enthusiasm, 00:11:25:12 - 00:11:30:09 of the team, both on the industry side, as well as obviously the government side. 00:11:30:09 - 00:11:33:21 But really the goal was, as Dan alluded to, 00:11:33:22 - 00:11:37:09 we had a fairly large team of volunteers and participants. 00:11:37:21 - 00:11:40:07 And so again, there were different types of skill sets. 00:11:40:07 - 00:11:43:11 So we broke the team down, the project 00:11:43:11 - 00:11:46:11 down into three key workstreams, as we call them, 00:11:46:16 - 00:11:50:06 and essentially aligned that to the skill sets that folks brought. 00:11:50:06 - 00:11:52:08 Everybody skills were important. 00:11:52:08 - 00:11:54:07 and everybody's time obviously is important. 00:11:54:07 - 00:11:59:15 So this is how we kind of went about, sort of creating consensus 00:11:59:24 - 00:12:02:22 and, you know, making sure that people that are into, 00:12:02:22 - 00:12:06:17 you know, writing the, the XML or the Json, 00:12:06:20 - 00:12:09:19 artifacts are equally comfortable with the folks 00:12:09:19 - 00:12:12:20 that are, experts in the process side 00:12:12:20 - 00:12:16:01 looking at, information assurance and things like that. 00:12:16:01 - 00:12:18:05 and of course, the program folks 00:12:18:05 - 00:12:21:02 that might be interested in the business impact of these. 00:12:21:02 - 00:12:25:17 So this is kind of a very quick view on helping you get a sense of how the 00:12:25:17 - 00:12:27:02 sausage was made. If you will 00:12:27:04 - 00:12:28:14 so coming to, 00:12:28:14 - 00:12:32:08 again, something that, Dan, alluded to already. 00:12:32:18 - 00:12:36:21 one of the things we felt when, the community got together 00:12:37:07 - 00:12:40:07 is we talked a lot about technology. 00:12:40:10 - 00:12:40:17 Right. 00:12:40:17 - 00:12:45:00 So we, of course, are all probably experts and, you know, infrastructure as code. 00:12:45:10 - 00:12:48:00 thanks to the amazing work that NIST 00:12:48:00 - 00:12:52:07 And Michaela and, you know, the, the, CSO Council 00:12:52:07 - 00:12:56:01 and others have done, you know, now we know what OSCAL is. 00:12:56:01 - 00:13:00:21 And so to us, we see infrastructure as code, OSCAL, and all of these, 00:13:01:05 - 00:13:07:01 amazing technologies as ingredients and catalysts for something bigger. 00:13:07:13 - 00:13:11:07 And so when, if, what we did is we said, okay, let's put our, 00:13:11:13 - 00:13:14:07 put ourselves in the shoes of a, 00:13:14:07 - 00:13:19:05 organization, a Cisco organization that is focused on 00:13:19:10 - 00:13:22:23 not necessarily adopting infrastructure as code or scale, 00:13:22:23 - 00:13:26:13 but they're really designed to go in and support the mission. 00:13:27:00 - 00:13:27:06 Right. 00:13:27:06 - 00:13:32:23 So how can they go in and take this journey around mission assurance? 00:13:33:09 - 00:13:35:07 And so where do they begin? 00:13:35:07 - 00:13:38:19 And so again, really the credit goes to the project team members, 00:13:39:04 - 00:13:44:03 under the leadership of, our sponsor here at OPM, to say, hey, 00:13:44:10 - 00:13:47:07 you know, before we go into deep diving 00:13:47:07 - 00:13:51:03 into the technology, we really need to give the organization 00:13:51:05 - 00:13:56:04 a tool or a mechanism to embark on that transformation journey. 00:13:56:19 - 00:13:59:16 And so we just felt collectively as a group 00:13:59:16 - 00:14:02:11 that there did not exist 00:14:02:11 - 00:14:05:13 a mechanism to go in and drive that change. 00:14:05:13 - 00:14:05:21 Right. 00:14:05:21 - 00:14:08:21 So it's always as a as an engineer and as a techie, 00:14:09:00 - 00:14:11:22 it's always very compelling to go in and say, hey, you know, 00:14:11:22 - 00:14:16:08 let's go in and use tool X or Y or implement this technology. 00:14:16:08 - 00:14:20:01 But, again, as we look at it from the context of a mission partner, 00:14:20:12 - 00:14:21:23 where do they begin? Right. 00:14:21:23 - 00:14:24:16 They have something that they already have in place. 00:14:24:16 - 00:14:27:07 They have a team, there's a workforce issue. 00:14:27:07 - 00:14:29:04 And so how do we really go in and begin? 00:14:29:04 - 00:14:32:23 And so that's where this idea of a compliance 00:14:32:23 - 00:14:36:05 automation process maturity model came in. 00:14:36:05 - 00:14:40:11 And so the idea there was to define and create 00:14:40:11 - 00:14:44:21 and and my understanding this is the first and only novel 00:14:44:21 - 00:14:50:07 implementation of the maturity model construct in this area of risk management. 00:14:50:07 - 00:14:52:03 And so we're pretty excited about it. 00:14:52:03 - 00:14:55:00 would love to get your thoughts and feedback. 00:14:55:00 - 00:14:57:20 there is a, a link 00:14:57:20 - 00:15:01:20 to a PDF document and it's gone through a lot of reviews. 00:15:01:20 - 00:15:04:16 And so again, we'd love to get your thoughts on it. 00:15:04:16 - 00:15:09:00 But really, the idea behind, the maturity model is to go and, and drive 00:15:09:00 - 00:15:12:23 change and enable the participation of the community 00:15:13:08 - 00:15:17:01 in saying, okay, you know, let me go in and understand where I am today. 00:15:17:10 - 00:15:20:17 And then I have an aspiration to getting to a different level. 00:15:21:03 - 00:15:24:00 And so what might be my journey that might look like it? 00:15:24:00 - 00:15:25:23 What are the different pieces I need to put together? 00:15:25:23 - 00:15:31:03 So again, it was it was designed to be, a handy document to drive that journey. 00:15:31:11 - 00:15:32:12 So some of the key 00:15:32:12 - 00:15:36:05 factors that were during these conversations and, 00:15:36:06 - 00:15:40:15 you know, numerous workshops and meetings, there were really three key 00:15:40:15 - 00:15:45:13 critical factors that were identified that were either 00:15:46:02 - 00:15:49:13 were critical enablers to driving digital transformation 00:15:49:13 - 00:15:52:13 in the context of the cybersecurity mission. 00:15:53:00 - 00:15:56:07 of course, as those of you that deal with it every day, 00:15:56:07 - 00:15:57:16 data is paramount, right? 00:15:57:16 - 00:16:02:00 How can I go in and get access to large and larger and larger 00:16:02:10 - 00:16:05:10 amounts of data that's coming at us? 00:16:05:15 - 00:16:08:15 but it's in a, in a format or in a manner, 00:16:08:24 - 00:16:12:03 that's very difficult for us to harmonize and standardize 00:16:12:14 - 00:16:15:15 and so really, I need to be able to, you know, get the data 00:16:15:15 - 00:16:18:17 from my vulnerability scanner, from my applications scanner, from my 00:16:18:17 - 00:16:22:04 you know, the cloud services, that Dan talked about. 00:16:22:04 - 00:16:26:22 And now we've also talked about, you know, bringing in, you know, 00:16:26:22 - 00:16:30:15 threat information and, you know, there are new requirements around s bomb. 00:16:30:15 - 00:16:33:00 So again, it's all about data. 00:16:33:00 - 00:16:36:00 And how do we go in and get that data into the risk 00:16:36:00 - 00:16:39:00 management process quickly, efficiently and effectively. 00:16:39:06 - 00:16:41:07 And so that's a continuing battle. Right. 00:16:41:07 - 00:16:43:19 And so there are different ways to enable that. 00:16:43:19 - 00:16:46:23 Some organizations- they're farther along. 00:16:47:02 - 00:16:50:21 and so again that was a key pillar to driving change. 00:16:51:11 - 00:16:53:20 the second was of course technology. 00:16:53:20 - 00:16:58:10 again, we definitely were cognizant of, 00:16:58:20 - 00:17:02:13 infrastructure as code and OSCAL but we didn't necessarily want to go in 00:17:02:13 - 00:17:06:07 and limit it or be prescriptive to one technology over the other 00:17:06:07 - 00:17:10:16 because all of us know, technologies change all the time. 00:17:10:16 - 00:17:14:13 And I'm sure all of you are, working feverishly on, 00:17:15:01 - 00:17:18:17 you know, how can AI, assist with this? 00:17:18:17 - 00:17:22:17 And so, again, we want to be, we want to be future proof, right? 00:17:22:17 - 00:17:25:17 So we want to go in and say, hey, we want to go in and focus on the mission, 00:17:26:05 - 00:17:29:13 deliver mission assurance, tools, technologies 00:17:29:13 - 00:17:32:23 and capabilities might change on how we get to that goal. 00:17:32:23 - 00:17:35:06 So I didn't want to be overly prescriptive. 00:17:35:06 - 00:17:37:15 just using one tool over the other. 00:17:37:15 - 00:17:42:22 But again, in the general context of, using the technology to drive either 00:17:42:22 - 00:17:48:03 the automation or the ability to go in and do things like ETL, harmonize 00:17:48:03 - 00:17:52:05 do risk analytics, whatever, whatever tools and mechanisms 00:17:52:13 - 00:17:56:05 were appropriate for an organization not necessarily going in and saying, hey, 00:17:56:13 - 00:17:59:09 go in and buy tool X and then you'll be fine, right? 00:17:59:09 - 00:18:02:02 So again, trying to be a little broader from that standpoint. 00:18:02:02 - 00:18:02:16 And of course 00:18:02:19 - 00:18:03:24 the mission is paramount. 00:18:03:24 - 00:18:09:02 And so how do we go in and make sure that, any solution or standard is blessed, 00:18:09:13 - 00:18:12:24 by the federal agencies of course, 00:18:13:09 - 00:18:17:13 NIST as a standard standing organization, has blessed it. 00:18:17:13 - 00:18:20:16 And so just making sure that whatever is presented and offered, 00:18:21:01 - 00:18:24:02 has the blessings of, the different agencies, 00:18:24:11 - 00:18:25:24 and standards bodies. 00:18:26:16 - 00:18:31:00 So I will open it up to questions, pause or go back or, you know, 00:18:31:00 - 00:18:34:15 double click on anything, that might be of interest to the community. 00:18:34:18 - 00:18:35:03 Thank you. 00:18:35:03 - 00:18:39:08 But before I stop the recording, I wanted to give, Dan a chance to, 00:18:39:08 - 00:18:41:07 close or express his thoughts 00:18:41:07 - 00:18:43:05 if he has any thing to add. 00:18:43:06 - 00:18:44:00 Yeah. Thanks, Michaela. 00:18:44:02 - 00:18:46:16 one of the things that I think it's important 00:18:46:16 - 00:18:47:21 to get across here, 00:18:47:23 - 00:18:49:20 is when we're approaching, 00:18:49:20 - 00:18:52:19 ATO as code and OSCAL’s implementation of it. 00:18:52:19 - 00:18:54:14 you can automate 00:18:54:14 - 00:18:57:20 your ATO processes without OSCAL. 00:18:58:11 - 00:19:00:02 You don't have to have it. 00:19:00:02 - 00:19:02:16 But the problem is, is that if you go in that route, 00:19:02:16 - 00:19:05:20 what you're going to find is a proprietary solution 00:19:06:00 - 00:19:10:04 that is going to most likely lock you in for a long period of time, 00:19:10:11 - 00:19:13:11 and it's going to cost you an awful lot more money. 00:19:13:13 - 00:19:16:13 And it's also not going to have any broad standards. 00:19:16:14 - 00:19:19:03 And so by going open standards, 00:19:19:03 - 00:19:22:23 leveraging what NIST has given us, this is a gift. Right? 00:19:22:23 - 00:19:26:05 And this is this is what allows us to be able 00:19:26:05 - 00:19:29:11 to standardize our processes, our procedures. 00:19:29:11 - 00:19:33:16 And how we get this work done across the entire federal space. 00:19:34:02 - 00:19:37:02 What's more is if you flip it on the on the back side of that, 00:19:37:06 - 00:19:40:06 it allows our vendors a very clear understanding 00:19:40:07 - 00:19:43:06 of what it is that they can do in order to, 00:19:43:06 - 00:19:45:04 build in a value proposition. 00:19:45:04 - 00:19:48:16 When you have federal agencies who are looking for solution 00:19:48:16 - 00:19:52:24 that the vendors are offering, because we all know I'm not going to name 00:19:52:24 - 00:19:57:01 any names here, but, we all know that there are some products out there, 00:19:57:01 - 00:20:00:12 like say, for instance, a GRC that has proprietary data sets 00:20:00:18 - 00:20:03:22 that will not play very well with other tools. 00:20:04:08 - 00:20:07:17 That's not a great option, and it's not exactly 00:20:07:17 - 00:20:09:15 what we ought to be doing from, 00:20:09:16 - 00:20:12:21 a responsible government position using taxpayer dollars 00:20:12:21 - 00:20:14:10 in order to effect our stuff. 00:20:14:10 - 00:20:19:01 So OSCAL, to me, is a critical and integral piece of how we move forward. 00:20:19:05 - 00:20:20:18 We're not going to be able to do this without it, 00:20:20:18 - 00:20:24:02 because otherwise it's just proprietary and vendor lock-in land. 00:20:24:18 - 00:20:28:02 So that's why this to me, this is one of these things 00:20:28:02 - 00:20:31:06 where we're putting it, right up front and saying, look, 00:20:31:11 - 00:20:33:20 this is going to be hard. 00:20:33:23 - 00:20:36:23 This is going to be an entire agency effort. 00:20:37:00 - 00:20:42:21 when we are looking at, the deliverable for ATO as code in, phase one, 00:20:43:09 - 00:20:46:18 we're touching several different pieces of cybersecurity and enterprise 00:20:46:18 - 00:20:47:15 risk management. 00:20:47:15 - 00:20:50:15 We're automating across the entire board, 00:20:50:19 - 00:20:54:07 just like, when we were talking about, years ago. 00:20:54:09 - 00:20:55:04 zero trust. 00:20:55:06 - 00:20:57:17 Zero trust is a set of design principles. 00:20:57:17 - 00:21:02:06 It was never the, the idea that you would simply buy one tool, 00:21:02:18 - 00:21:05:02 stick it in your rack, and all of a sudden, bam, 00:21:05:02 - 00:21:07:03 you're now zero trust across the board. 00:21:07:03 - 00:21:08:23 That's not how that works. 00:21:08:23 - 00:21:12:02 And it's also not how going how ATO as code is going to work. 00:21:12:09 - 00:21:15:02 It's going to require some serious fundamental changes. 00:21:15:02 - 00:21:16:21 It's going to require governance. 00:21:16:21 - 00:21:19:19 You need to empower your developers to be able to do this. 00:21:19:19 - 00:21:21:07 It's going to require processes, 00:21:21:11 - 00:21:22:04 across 00:21:22:04 - 00:21:25:09 this is not just cyber process, but also it fully integrates in 00:21:25:09 - 00:21:28:09 with your enterprise information systems and your enterprise management. 00:21:28:18 - 00:21:29:15 It's part of your 00:21:29:15 - 00:21:32:20 and at least from my perspective, is also part of your cloud operating model. 00:21:33:07 - 00:21:37:22 This is going to fundamentally change how you do enterprise risk management. 00:21:38:01 - 00:21:39:22 It's not just going to be the Cisco 00:21:39:22 - 00:21:43:16 show, it's going to be the Cisco, the enterprise architect, the risk, 00:21:43:22 - 00:21:47:04 the enterprise risk management officer, whoever that may be. 00:21:47:11 - 00:21:50:13 As GP has mentioned, there might also be an AI play in there 00:21:50:13 - 00:21:52:07 because OSCAL is nothing 00:21:52:07 - 00:21:55:10 without all the data, or at least ATO as code is nothing without all the data. 00:21:55:16 - 00:22:00:01 so this is this is significantly harder than what it seems. 00:22:00:01 - 00:22:04:08 And, you know, much like the the onion, the more you peel into it, 00:22:04:08 - 00:22:06:23 the more you find out there's an awful lot of layers. 00:22:06:23 - 00:22:08:22 And this is going to be a multi-year effort. 00:22:08:22 - 00:22:13:20 But when you get there, maintaining your security, being able to facilitate 00:22:14:10 - 00:22:17:15 user needs, going from requirements to execution, 00:22:17:15 - 00:22:19:20 I now have a fully functional capability. 00:22:19:20 - 00:22:23:02 It's going to be infinitely faster because you you've eliminated 00:22:23:14 - 00:22:27:06 the the huge amount of hurdles for security assessment in between. 00:22:27:16 - 00:22:31:20 So, I kind of feel like I'm just, you know, beating the same drum over and over. 00:22:31:20 - 00:22:33:12 I’ll shut up. Pending any questions. 00:22:33:12 - 00:22:34:20 But thank you very much for your time. 00:22:34:20 - 00:22:37:20 And, let's let's see, let's go. 00:22:38:01 - 00:22:39:04 Thank you. 00:22:39:04 - 00:22:44:14 I was chatting with the Steven Hernandez, and he put a comment 00:22:44:14 - 00:22:47:23 that actually, was very interesting to me 00:22:48:13 - 00:22:51:16 I'll say, amongst the top three opportunities the council has 00:22:51:16 - 00:22:55:00 recognized is where can we drive efficiency 00:22:55:01 - 00:22:58:13 through our GRC programs and our ATO programs. 00:22:58:13 - 00:23:03:20 And this is, hitting that challenge squarely in the in the crosshairs. 00:23:04:04 - 00:23:08:13 And I think that as we look to the future, we look at DevSecOps, 00:23:08:13 - 00:23:09:11 we look at continuous 00:23:09:11 - 00:23:12:11 integration, continuous development, we look at the world around us. 00:23:12:17 - 00:23:18:00 Everything is moving in a continuous fashion, and we have to do the same thing. 00:23:18:00 - 00:23:21:02 And in fact, we have to be just a little bit better, a little bit faster, 00:23:21:02 - 00:23:25:07 because our actions need to help govern and shape what 00:23:25:07 - 00:23:28:13 those development and those continuous iteration processes look like. 00:23:28:13 - 00:23:31:08 So, with that, I'm going to go and, 00:23:31:08 - 00:23:34:13 but I wanted to thank, Michaela, the NIST team 00:23:34:13 - 00:23:37:13 and OSCAL team for everything you're doing. 00:23:38:02 - 00:23:39:01 it is the future. 00:23:39:01 - 00:23:41:06 And I put a comment in there. I love Dan's comment. 00:23:41:06 - 00:23:43:24 You know, you don't have to have OSCAL to automate. 00:23:43:24 - 00:23:46:01 And immediately what popped in my mind is, yeah. 00:23:46:01 - 00:23:50:09 And you also don't need shoes to run a marathon, but, you know, it helps. 00:23:50:09 - 00:23:52:14 Okay. It really helps. 00:23:52:14 - 00:23:55:07 and I think that this project, 00:23:55:07 - 00:23:58:07 and this engagement here did a fine job of illustrating that. 00:23:58:07 - 00:24:00:11 So I'm going to go. But thank you, everybody. 00:24:00:11 - 00:24:01:23 Deeply appreciate the time this morning.