00:00:00:04 - 00:00:01:00 Morning, everybody. 00:00:01:00 - 00:00:02:18 My name is Clark Pain 00:00:02:18 - 00:00:04:25 I'm a product manager at Rise 8. 00:00:04:25 - 00:00:07:11 Rise 8 does elite software development. 00:00:07:11 - 00:00:11:11 Right now we're working with the DoD and the VA. 00:00:11:15 - 00:00:14:14 we've also worked with other government organizations. 00:00:14:14 - 00:00:18:12 mainly, developing past production, shipping software to production. 00:00:18:17 - 00:00:20:03 and actually recently, 00:00:20:05 - 00:00:23:08 worked with the VA to establish their first continuous ATO. 00:00:23:12 - 00:00:26:05 we have a deep understanding of the challenges 00:00:26:05 - 00:00:29:13 associated with getting new capabilities to production. 00:00:29:17 - 00:00:34:09 notably the ATO process and really executing RMF in general. 00:00:34:23 - 00:00:38:08 we've been developing Tracer as a continuous RMF platform, 00:00:38:12 - 00:00:39:29 internally to Rise 8 00:00:39:29 - 00:00:44:21 in order to accelerate this ATO process and, really enable 00:00:44:21 - 00:00:48:20 the delivery of new software capabilities, faster than currently possible. 00:00:48:23 - 00:00:50:05 And really, you know, the reason 00:00:50:05 - 00:00:54:09 why we're here is that we see OSCAL as a key enabling technology 00:00:54:09 - 00:00:58:07 or function sort of behind the scenes, to the success of Tracer 00:00:58:07 - 00:01:02:03 and in really helping Tracer do what we want to be able to do. 00:01:02:03 - 00:01:05:19 So, we're going to dive into how a Tracer leverages OSCAL 00:01:05:26 - 00:01:08:21 so let's dive into it. 00:01:08:21 - 00:01:11:21 So I know most people here are very familiar with OSCAL. 00:01:11:21 - 00:01:15:07 So let's focus here on the implications. 00:01:15:08 - 00:01:19:05 Like why is OSCAL important within the context of Tracer? 00:01:19:09 - 00:01:23:06 Currently the ATO process relies heavily 00:01:23:06 - 00:01:27:02 on basically Microsoft Office documents like word Excel. 00:01:27:10 - 00:01:30:29 There's a ton of manual review and upkeep of these documents. 00:01:31:04 - 00:01:33:08 These documents lack transparency, 00:01:33:08 - 00:01:36:08 searchability. they're difficult to update. 00:01:36:20 - 00:01:39:16 really, once they're finalized, they’re set in stone. 00:01:39:16 - 00:01:41:11 There are version management issues. 00:01:41:11 - 00:01:44:18 And really, all of this drives, what at times could be 00:01:44:18 - 00:01:47:18 a 12 to 18 month authorization process. 00:01:47:19 - 00:01:52:18 and because of that, countless company hours spent managing this process, 00:01:52:18 - 00:01:55:19 and can cost upwards of millions of dollars in order for, 00:01:55:19 - 00:01:55:29 you know, 00:01:55:29 - 00:01:59:22 an authorization to be put together and pushed across the finish line. 00:01:59:22 - 00:02:04:02 because it's so difficult a lot of times these authorizations just aren't updated. 00:02:04:07 - 00:02:07:22 and because the authorizations can't be updated, the software can't be updated. 00:02:07:26 - 00:02:13:23 And you see these sort of huge, Leviathan pushes to get the initial software, 00:02:13:25 - 00:02:16:25 deploy the authorization done, and then it's just kind of left there. 00:02:16:25 - 00:02:20:21 you can point to countless examples across the government, of antiquated 00:02:20:21 - 00:02:24:22 software, that has real mission impacts no matter the department that you're in. 00:02:24:28 - 00:02:27:27 and a lot of this can be traced back 00:02:27:27 - 00:02:31:14 to, really the bureaucracy around the authorization process. 00:02:31:15 - 00:02:35:08 So what we want to do is we see our OSCAL as a key function 00:02:35:12 - 00:02:39:20 for eliminating a lot of that toil and opacity within that process. 00:02:39:23 - 00:02:40:24 we want to create a system 00:02:40:24 - 00:02:45:22 that puts compliance and security data at the center, not documents. 00:02:45:27 - 00:02:49:20 order to create a transparent process, know, remove the barriers 00:02:49:20 - 00:02:51:12 to updating authorizations 00:02:51:12 - 00:02:54:03 and pave the way for more frequent delivery of software. 00:02:54:03 - 00:02:57:18 so right at the bottom of this slide, you'll see a small snippet of the 00:02:57:23 - 00:02:59:05 OSCAL control format. 00:02:59:05 - 00:03:03:17 this is what we're pulling in directly from the NIST repo to populate Tracer. 00:03:03:17 - 00:03:07:06 And of course we're talking about, 800-53 controls. 00:03:07:13 - 00:03:10:16 so let's dive a little bit deeper into 00:03:10:22 - 00:03:13:24 what that looks like for Tracers specifically. 00:03:14:02 - 00:03:15:15 right how Tracer uses OSCAL. 00:03:15:15 - 00:03:18:17 the app itself ingests the entire, 00:03:18:20 - 00:03:22:06 800-53 control catalog from the NIST repo. 00:03:22:12 - 00:03:25:27 and then is able to manage and display them in the user interface. 00:03:26:08 - 00:03:30:04 We will take a look at some screenshot from Tracer. 00:03:30:04 - 00:03:33:17 We'll also walk through a quick, demo to sort of see it in action. 00:03:33:21 - 00:03:36:21 this is a bit of a little primer, so we know what's going on behind the scenes. 00:03:36:29 - 00:03:41:18 We pull in the control catalog, and then Tracer does a lot of the heavy lifting. 00:03:41:18 - 00:03:42:03 when it comes 00:03:42:03 - 00:03:46:00 to managing the control catalog, you know, system creation, tailoring. 00:03:46:03 - 00:03:46:27 and then users 00:03:46:27 - 00:03:50:23 go in and can do all this sort of, implementation, assessment documentation. 00:03:50:29 - 00:03:54:28 then ultimately, generate artifacts or reports that can either 00:03:54:28 - 00:03:58:25 be manually extracted in the form of, you know, say like a CSV, 00:03:59:04 - 00:04:04:00 or in the OSCAL format in XML or Json format that can 00:04:04:00 - 00:04:07:26 then be shared with other programs that are able to consume it. 00:04:08:00 - 00:04:12:28 community is aware of XACTA, their ability to consume, at OSCAL data. 00:04:13:09 - 00:04:17:18 the FedRAMP office, is very forward leaning in their ability 00:04:17:18 - 00:04:19:09 to consume OSCAL data. 00:04:19:09 - 00:04:24:22 we want Tracer to be fully self-contained for the purposes of executing RMF. 00:04:24:24 - 00:04:28:21 we also know that, the RMF process is sprawling. 00:04:28:26 - 00:04:32:06 there are many stakeholders, many different systems that are involved. 00:04:32:06 - 00:04:35:18 So we know it needs to be able to be curated within Tracer needs to be 00:04:35:18 - 00:04:39:01 easily shareable, removable with external services. 00:04:39:02 - 00:04:40:24 And our OSCAL is perfect for doing that. 00:04:40:24 - 00:04:44:09 So not only the controls but then the body of evidence, 00:04:44:09 - 00:04:48:09 that's managed within Tracer, all of that is packaged up 00:04:48:09 - 00:04:52:02 and behind the scenes is managed in the ask OSCAL format 00:04:52:09 - 00:04:55:29 it can easily leave Tracer move into external services. 00:04:56:07 - 00:04:59:04 let's dive into our first control. 00:04:59:04 - 00:05:00:25 sure everybody's favorite control. AC-1 00:05:00:25 - 00:05:04:26 so here we see a small portion of the control. 00:05:04:29 - 00:05:08:13 in OSCAL format for AC-1 is again pulled straight from the, 00:05:08:16 - 00:05:09:21 NIST repository. 00:05:09:21 - 00:05:14:02 and then on the right, we have a small screenshot of the Tracer user interface. 00:05:14:17 - 00:05:17:13 we're going to zoom in on the Tracer UI in the next slide. 00:05:17:13 - 00:05:22:18 so we take that control language directly from NIST repo in the OSCAL format. 00:05:22:18 - 00:05:28:25 that is then displayed in the Tracer UI where users can actually access it. 00:05:29:01 - 00:05:31:14 then below those, you'll see the implementation, 00:05:31:14 - 00:05:35:24 the sort of documentation phase where, engineers, developers, people 00:05:35:26 - 00:05:39:25 responsible for implementing they input their evidence here. 00:05:40:00 - 00:05:43:06 then third party assessor who can come in and do the assessment. 00:05:43:13 - 00:05:47:13 And all of that data is, collected in one place. 00:05:47:17 - 00:05:51:19 again, it's all saved in that vault OSCAL format for the next step. 00:05:51:21 - 00:05:53:11 let's zoom in and see what that looks like. 00:05:53:11 - 00:05:56:12 on top you have the actual control language. 00:05:56:12 - 00:05:58:02 You know, your assessment objectives. 00:05:58:02 - 00:05:59:19 the control discussion. 00:05:59:19 - 00:06:03:03 know, ultimately you'll have your, like, implementation parameters here as well. 00:06:03:06 - 00:06:07:07 And then, below this is where you'll see the evidence added by, developers, 00:06:07:09 - 00:06:10:16 assessed by assessors and then merged into this overall body 00:06:10:16 - 00:06:14:09 of evidence that will ultimately go into, the system security plan. 00:06:14:17 - 00:06:18:21 So moving on, again, this is just like, control language 00:06:18:21 - 00:06:22:16 is then merged with that body of evidence in the OSCAL format. 00:06:22:20 - 00:06:26:13 that will then go shape the, OSCAL system security plan. 00:06:26:19 - 00:06:29:03 what Tracer does it has another interesting facet. 00:06:29:03 - 00:06:32:02 we look at controls really from, two directions. 00:06:32:02 - 00:06:35:25 One is from the system perspective and the other one is from 00:06:35:25 - 00:06:37:06 the component perspective. 00:06:37:06 - 00:06:41:28 any given control can be broken out into policy 00:06:41:28 - 00:06:45:20 infrastructure platform or application controls. 00:06:45:25 - 00:06:46:22 choose your control. 00:06:46:22 - 00:06:50:16 It can be labeled as one or really any combination of the above. 00:06:50:16 - 00:06:53:28 And what that means is that when we establish these components 00:06:53:28 - 00:06:58:24 within a system, if a component is say, a policy component, 00:06:58:27 - 00:07:03:11 that component is then responsible for all controls that are labeled policy. 00:07:03:15 - 00:07:07:11 so going back to this example, you have your control here. 00:07:07:14 - 00:07:11:10 let's just say it must be implemented across all of the layers 00:07:11:10 - 00:07:15:10 of system tech stack, policy infrastructure, platform and application. 00:07:15:13 - 00:07:19:07 looking at it from a system perspective, can do an overall kind 00:07:19:07 - 00:07:22:20 of holistic system control assessment. 00:07:22:20 - 00:07:25:28 but then you can also dive into how this control was implemented 00:07:25:28 - 00:07:27:15 at each of these given layers. 00:07:27:15 - 00:07:30:28 this is supported in the system security plan format. 00:07:31:02 - 00:07:34:07 you get a holistic, system centric perspective. 00:07:34:07 - 00:07:35:09 but you can still dive into 00:07:35:09 - 00:07:39:06 to see how each control is affected by an individual component. 00:07:39:10 - 00:07:41:18 And the converse is true as well. 00:07:41:18 - 00:07:45:11 can dive in and do, an examination of a given component. 00:07:45:17 - 00:07:49:24 We know exactly which controls that component is responsible for. 00:07:50:01 - 00:07:51:19 You can almost take that component 00:07:51:19 - 00:07:55:10 out of context and do an individual component assessment 00:07:55:18 - 00:07:59:00 versus, really having to assess the entire stack at any given time. 00:07:59:06 - 00:08:02:22 And that has a couple of different implications that we'll talk about 00:08:02:22 - 00:08:06:05 a little bit later on and sort of like where we see Tracer going in the future. 00:08:06:08 - 00:08:07:15 but at this point, 00:08:07:15 - 00:08:12:01 this is how we are developing a very clear breakdown and 00:08:12:01 - 00:08:15:07 very transparent method for sharing system control 00:08:15:07 - 00:08:16:21 implementation evidence 00:08:16:21 - 00:08:18:27 through a modern software system. 00:08:18:27 - 00:08:23:15 A lot of what's coming online right now, is cloud based you know, AWS, 00:08:23:15 - 00:08:29:10 GCP, those services, handle so much of the control baseline. 00:08:29:10 - 00:08:32:10 and then you can you go on down with your platform services. 00:08:32:13 - 00:08:35:03 A lot of these, commercially available services. 00:08:35:03 - 00:08:36:07 are componentized. 00:08:36:07 - 00:08:38:15 And the way that controls are answered. 00:08:38:15 - 00:08:40:17 can't really answer it completely 00:08:40:17 - 00:08:44:08 from the system perspective. You really do need the sort of stratified, 00:08:44:10 - 00:08:45:24 component structure 00:08:45:24 - 00:08:49:15 in order to like, really accurately and transparently answer these controls. 00:08:49:15 - 00:08:53:06 Let's now take a look at, Tracer in action. 00:08:53:15 - 00:08:56:02 I'm just going to sort of let this demo play for a few minutes. 00:08:56:02 - 00:08:59:25 We're going to be landing here on the systems page, where, 00:08:59:25 - 00:09:01:15 you can manage multiple systems. 00:09:01:15 - 00:09:03:18 It's not just one system and by system, 00:09:03:18 - 00:09:05:10 It's really like authorization. 00:09:05:10 - 00:09:08:08 we're sort of jumping right into an established system. 00:09:08:08 - 00:09:13:14 but in order to establish a new system, you select your framework of choice. 00:09:13:14 - 00:09:17:26 right now we support, 800-53, Rev 4 and 5. 00:09:17:28 - 00:09:20:00 we also have PII overlay. 00:09:20:00 - 00:09:23:29 and we're soon going to be able to support the FedRAMP framework 00:09:23:29 - 00:09:25:23 and baselines as well. 00:09:25:23 - 00:09:28:28 And all of these controls are automatically imported via 00:09:28:28 - 00:09:31:18 OSCAL from the NIST repositories. 00:09:31:18 - 00:09:34:23 So behind the scenes when you're establishing a system, 00:09:34:29 - 00:09:36:06 you select your framework. 00:09:36:06 - 00:09:37:19 You select your categorization. 00:09:37:19 - 00:09:39:14 You know, low, moderate or high. 00:09:39:14 - 00:09:42:12 And Tracer just goes and grabs all of those controls, 00:09:42:12 - 00:09:44:19 populates them in your system for you. course. 00:09:44:19 - 00:09:46:11 Then you move on to the tailoring 00:09:46:11 - 00:09:50:20 where you can customize your control baseline, to your specific systems needs. 00:09:50:26 - 00:09:52:14 And then you go through the rest of the process 00:09:52:14 - 00:09:55:06 of, you know, like, implementation, assessment, in beyond. 00:09:55:06 - 00:09:57:06 You're looking at the systems page. 00:09:57:06 - 00:09:59:25 You can see the DA lighthouse system has already been set. 00:09:59:25 - 00:10:01:17 All of the controls have been assigned. 00:10:01:17 - 00:10:03:23 There are several components within 00:10:03:23 - 00:10:05:09 Let's dive in by clicking on 00:10:05:09 - 00:10:08:03 Now we can see the entire control list of the system. 00:10:08:03 - 00:10:09:06 And over on the left 00:10:09:06 - 00:10:11:20 you see how the controls are broken down by the control type. 00:10:11:20 - 00:10:14:21 When a system is created, the controls are automatically imported 00:10:14:21 - 00:10:17:06 the OSCAL from the NIST repository 00:10:17:07 - 00:10:19:05 Once we have the controls here in the system, 00:10:19:05 - 00:10:22:25 we can label each one as either organization, infrastructure, 00:10:23:01 - 00:10:26:05 platform, application or any combination of the above. 00:10:27:04 - 00:10:29:21 Doing this gives us just structure to enable control 00:10:29:21 - 00:10:32:26 inheritance without being over establishing this inheritance structure. 00:10:32:27 - 00:10:37:08 lets the system inherit all the controls above it in here. 00:10:38:09 - 00:10:41:09 and also let's them share their controls with the components 00:10:41:21 - 00:10:44:09 as we can see here at the bottom of the stack, 00:10:44:09 - 00:10:48:14 the application here is responsible for 148 of the 374. 00:10:48:18 - 00:10:50:29 This means that when we onboard a new application, 00:10:50:29 - 00:10:53:05 we already know exactly which controls is needed. 00:10:53:05 - 00:10:56:05 So, now that our system is established and we know where our controls need to be, 00:10:56:10 - 00:10:57:23 let’s onboard a new application. 00:10:57:23 - 00:10:59:25 When you click on the “View Components” button, 00:10:59:25 - 00:11:03:13 You can see all the individual components already established here in the system. 00:11:03:24 - 00:11:05:16 So let's create a new component. 00:11:05:16 - 00:11:07:19 I'll fill out all the required information. 00:11:07:19 - 00:11:09:16 And then we'll establish its inheritance. 00:11:20:22 - 00:11:21:12 We'll select from 00:11:21:12 - 00:11:24:13 the components we have already established within the VA light house system. 00:11:24:20 - 00:11:27:24 And as I view you can see the control version for the new component. 00:11:28:01 - 00:11:30:25 Once done, we can see that only a fraction of the overall control 00:11:30:25 - 00:11:33:25 baseline would already be inherited. 00:11:37:06 - 00:11:39:06 Let's dive into this new component to see what we have 00:11:39:06 - 00:11:42:08 left to do. Right away we can see which controls are inherited. 00:11:43:20 - 00:11:45:13 We can also click on the inheritance stack 00:11:45:13 - 00:11:47:28 To check out the controls we inherited 00:11:47:28 - 00:11:49:25 Let's jump in AC-2.5 00:11:49:25 - 00:11:51:18 Since we see it's in progress. 00:11:51:18 - 00:11:53:16 See what it looks like for everything inside. 00:11:53:16 - 00:11:54:17 Developers will come here. 00:11:54:17 - 00:11:56:12 To drop in their implementation details. 00:11:56:12 - 00:12:00:04 So we as assessors are checking to make sure everything looks as it should 00:12:00:09 - 00:12:05:10 Developers can drop in text, code, snippets, links, and even images as part of the documentation. 00:12:05:25 - 00:12:08:25 So in this example we can see some text and the code snippets. 00:12:09:09 - 00:12:12:09 There are also spaces for notes in an activity log. 00:12:12:19 - 00:12:16:00 So the developers and assessors can go back and forth during the implementation 00:12:16:00 - 00:12:17:00 process, need be. 00:12:18:03 - 00:12:21:16 Tracer can automatically generate a control report for this new app 00:12:21:17 - 00:12:24:17 that not only includes the information that we just added to the new app, 00:12:25:15 - 00:12:28:22 and also includes all the controls and documentation for the editing. 00:12:29:05 - 00:12:30:22 So quick little inject here. 00:12:30:22 - 00:12:33:18 We’re going to take a look at what a couple of this formats could look like. 00:12:33:18 - 00:12:38:00 We're looking at the OSCAL XML of course, as well as CSV. 00:12:38:00 - 00:12:41:13 So in just a minute I'll click through and show you examples of what that could look like 00:12:41:26 - 00:12:45:26 This allows us to holistically assess any given component. 00:12:46:28 - 00:12:50:22 You can also go back to the system view and check back in our AC-2.5. 00:12:51:05 - 00:12:53:25 To see how it looks from the system perspective. 00:12:53:25 - 00:12:55:25 You can see here which components are responsible 00:12:55:25 - 00:12:58:25 for implementing this control and their individual statuses. 00:12:59:16 - 00:12:59:27 See here. 00:12:59:27 - 00:13:02:27 That AC-2.5 for a new application has been marked as 00:13:03:19 - 00:13:06:12 along with the other application in the system 00:13:06:12 - 00:13:09:26 means the overall implementation of this control is compliant in the system. 00:13:11:22 - 00:13:13:18 Lastly, Tracer plugs into your 00:13:13:18 - 00:13:17:09 CSV pipelines to display your vulnerabilities. 00:13:18:03 - 00:13:21:07 These results are displayed on the components themselves on the component page 00:13:21:20 - 00:13:24:20 You don't have to go to another product to access the latest there 00:13:25:23 - 00:13:27:09 So, to bring it all together. 00:13:27:09 - 00:13:29:27 This makes it easy to onboard new capabilities. 00:13:29:27 - 00:13:34:01 Visualize security data and manage lifecycle compliance information on. 00:13:35:09 - 00:13:37:16 All there's a lot that goes beyond 00:13:37:16 - 00:13:41:14 what is explicitly required for a traditional system security plan. 00:13:41:16 - 00:13:45:23 as you can see, there is, activity logs and, the back and forth between developers 00:13:45:23 - 00:13:50:09 and assessors as a control is, is going through its initial implementation 00:13:50:09 - 00:13:54:26 or even as the control, evolves over time the traditional SSP formats, 00:13:54:26 - 00:14:00:12 it's really only a subset of the data that, Tracer can produce and curate. 00:14:00:16 - 00:14:04:23 all that being said, of course, we know the SSP is the industry standard. 00:14:04:28 - 00:14:09:27 so the additional data that is managed within the application, can either be 00:14:10:07 - 00:14:14:09 of course, just live within Tracer, Or managed in like a separate artifact. 00:14:14:13 - 00:14:19:01 really like what we're trying to get at is, producing this platform that goes 00:14:19:01 - 00:14:23:11 beyond the initial implementation and assessment of a given system 00:14:23:18 - 00:14:27:07 and moving into continuous RMF type paradigm. 00:14:27:11 - 00:14:30:28 and so we know that we're going to have to move beyond, the SSP format, 00:14:30:28 - 00:14:34:21 which, what I mentioned before is, is focusing on data, not documents. 00:14:34:24 - 00:14:36:05 not trashing SSP. 00:14:36:05 - 00:14:40:12 but again, not focusing on SSP being the finish line. 00:14:40:18 - 00:14:43:11 really just a, a checkpoint along the way. Okay. 00:14:43:11 - 00:14:47:22 So, this is, a little screenshot of the, 00:14:47:24 - 00:14:50:25 SSP, export that came out of Tracer. 00:14:50:29 - 00:14:53:07 and again, I think I should have mentioned this upfront. 00:14:53:07 - 00:14:55:02 All of this is mock data. 00:14:55:02 - 00:14:56:09 None of this is real data. 00:14:56:09 - 00:15:00:00 so even though we were using, VA lighthouse, as an example, 00:15:00:00 - 00:15:03:24 all of the information within, Tracer in the demo, that's all notional. 00:15:03:26 - 00:15:06:10 same thing for these exports. This is all notional. 00:15:06:10 - 00:15:10:26 this should be consumable by all other systems that can consume OSCAL. 00:15:11:09 - 00:15:13:20 it conforms to the OSCAL framework. 00:15:13:20 - 00:15:16:03 however, we know that not everything is there. 00:15:16:03 - 00:15:18:27 sometimes it will need to be human readable. 00:15:18:27 - 00:15:23:05 especially for, AOs or just authorizing bodies 00:15:23:05 - 00:15:25:21 that, aren't as up on OSCAL still need, 00:15:25:21 - 00:15:29:02 more of your traditional kind of CSV, your Excel spreadsheet, output. 00:15:29:16 - 00:15:30:20 What we're still doing here 00:15:30:20 - 00:15:34:22 is, supporting the paradigm that we've established with in Tracer. 00:15:34:23 - 00:15:38:03 Say, you know, for your given control, you have the overall 00:15:38:03 - 00:15:41:24 compliance status of that control from a system perspective. 00:15:41:24 - 00:15:45:07 You can then see which components, support that control. 00:15:45:07 - 00:15:47:24 So let's just say component one and component two. 00:15:47:24 - 00:15:50:29 They might have their independent compliance status. 00:15:51:04 - 00:15:55:18 there's also a potential inheritance, factor for these different components. 00:15:55:26 - 00:15:59:28 And then the actual evidence or implementation details 00:16:00:05 - 00:16:01:22 for those individual components. 00:16:01:22 - 00:16:04:28 So, this is just, again, a more transparent way of looking at 00:16:04:28 - 00:16:08:17 how a control is implemented from, a system perspective. 00:16:08:21 - 00:16:10:10 right. So what are the key benefits here? 00:16:10:10 - 00:16:15:23 So, using OSCAL in Tracer makes it way easier to establish your system. 00:16:15:26 - 00:16:18:10 it really is just a matter of a few clicks. 00:16:18:10 - 00:16:23:00 to import the control baseline from, repo in OSCAL format. 00:16:23:18 - 00:16:26:25 then a few more minutes of your control selection or tailoring, 00:16:27:01 - 00:16:29:01 to really tailored to your exact needs. 00:16:29:01 - 00:16:32:24 beyond that, modifying existing packages can be done really easily 00:16:32:24 - 00:16:34:26 because this is all a digital format. 00:16:34:26 - 00:16:36:14 so you can bring in controls, 00:16:36:14 - 00:16:39:14 you can remove controls again in just a couple of clicks. 00:16:39:20 - 00:16:41:03 And then once all of the, 00:16:41:03 - 00:16:45:09 implementation and assessment is done, you can automatically generate these SSPs. 00:16:45:14 - 00:16:50:06 also, if you have a machine to machine connection, say with EMFs, or XACTA, 00:16:50:17 - 00:16:55:07 that can be done automatically any time new data is introduced into the system. 00:16:55:14 - 00:16:59:06 You see, there's an update to how a component, addresses a control. 00:16:59:06 - 00:17:04:04 All of that can be shipped automatically to your documentation source of choice. 00:17:04:08 - 00:17:04:21 this makes it 00:17:04:21 - 00:17:08:00 so you don't have to wade through, you know, huge documents or spreadsheets. 00:17:08:00 - 00:17:12:04 and again, because data driven, it's really easy to tell what has changed 00:17:12:04 - 00:17:15:11 know, within a given time frame, what is next? 00:17:15:20 - 00:17:20:05 is, establishing the concept of free floating components. 00:17:20:22 - 00:17:23:14 using OSCAL that can be imported into systems. 00:17:23:14 - 00:17:27:06 great example is AWS has their OSCAL SSP. 00:17:27:09 - 00:17:29:21 GCP just pushed something out. 00:17:29:21 - 00:17:34:04 Same thing goes for other cloud service providers or any other, 00:17:34:07 - 00:17:37:18 service, know, vanilla Kubernetes or Any other service 00:17:37:18 - 00:17:41:01 that is commonly used, establishing their own, 00:17:41:11 - 00:17:48:26 OSCAL formatted SSP or sub SSP that can be automatically imported into Tracer. 00:17:49:01 - 00:17:53:18 not only can we bring in the controls that those components satisfy, 00:17:53:22 - 00:17:56:13 but we can also bring in the implementation details. really 00:17:56:13 - 00:18:00:09 what this means is that building entire packages can be cut down to minutes. 00:18:00:11 - 00:18:02:23 kind of like you can do a drag and drop kind of thing, right? 00:18:02:23 - 00:18:06:05 Because established this hierarchy within the system. 00:18:06:05 - 00:18:10:09 can just sort of select your stack and we can bring in all of the data again 00:18:10:09 - 00:18:11:15 via our OSCAL. 00:18:11:15 - 00:18:14:23 Cut the package creation, not just establishing the system baseline, 00:18:14:23 - 00:18:17:24 but actually creating the package, down to just minutes. 00:18:17:29 - 00:18:23:16 when the master component is updated, say, you know, AWS updates their SSP, 00:18:23:16 - 00:18:25:27 those updates could then be automatically rippled 00:18:25:27 - 00:18:28:27 into everybody else's package that is using that service. 00:18:28:29 - 00:18:33:01 this means is that, authorizations can really just focus on the small, 00:18:33:05 - 00:18:37:09 idiosyncratic elements of the system that makes that system unique. 00:18:37:09 - 00:18:40:22 not reassessing the entire monoliths, really 00:18:40:22 - 00:18:42:03 the entire time. 00:18:42:03 - 00:18:47:21 what this means is that new capabilities will make it to users much faster. 00:18:47:24 - 00:18:49:18 both in the initial authorization 00:18:49:18 - 00:18:53:03 stage, as well as keeping, software and systems up to date. 00:18:53:11 - 00:18:54:02 it'll open the door 00:18:54:02 - 00:18:58:03 to more commercial companies who, right now, a lot of the industry 00:18:58:03 - 00:19:02:05 just doesn't know how to or can work with, can't work with the government 00:19:02:05 - 00:19:05:19 because this bureaucratic boundary is just so high. 00:19:05:19 - 00:19:09:14 removing those barriers will open the door for more, industry to want to work 00:19:09:14 - 00:19:14:02 with the government giving, government customers more choice, more competition, 00:19:14:10 - 00:19:15:19 you know, better prices. 00:19:15:19 - 00:19:19:02 of course, across the board, making software more relevant. 00:19:19:02 - 00:19:20:08 more frequent updates. 00:19:20:08 - 00:19:24:28 and just like, really providing, more effective software for, all of our, 00:19:24:28 - 00:19:27:29 you know, our warfighters, our service providers, everybody, in the government. 00:19:28:07 - 00:19:30:21 that's the end of our content. 00:19:30:21 - 00:19:33:15 we would love to hear, thoughts or questions 00:19:33:15 - 00:19:35:07 that, people might have from the community.