In Calvinball, the rules were always changing. When it comes to the DoD’s Cybersecurity Maturity Model Certification, it seems to look increasingly like Bill Watterson’s masterpiece, Calvin and Hobbs.

Today’s interview is with Dr. Amy Williams from Coalfired Federal. She has years of experience in the nuances of CMMC and has a strong academic background to be able to understand complex topics and present them in an understandable manner.

Amy begins the interview with the range of activities that companies have regarding CMMC compliance. Some companies have invested thousands of hours in preparing for this rigorous compliance;. On the other hand,  some organizations do not realize it could be a twenty-four-month process and if they delay starting, they could compromise future business.

One of the main takeaways from the interview is the timeline on CMMC that Coalfire Federal provides. It has been a circuitous route where the DoD was vociferous about the program and then had a mysterious quiet period. Then, like Venus sprouting from Zeus’s brow, the DoD releases more details on CMMC.

Dr. Amy Williams observes that companies should know what is essential and what is superfluous at the varying levels of CMMC. Many defense contractors are already working 10-hour days without the burden of CMMC compliance. In order not to waste time, a framework is given as to when a company should consider using a consultant and when to bring the compliance work in-house.

The episode ends on an optimistic note – it was observed that the baseline of compliance, a mere seventeen controls, is basic cybersecurity for any modern company. These include basics like multifactor authentication and understanding where important documents are located on your network.

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

In the early days of computer networking, one was taught to make the network hard on the outside and soft in the inside. A more popular variation on this concept was your network should be like a castle with a moat around it to prevent entry. Well, both metaphors have been destroyed.

Today, you would be naïve if you did not assume the bad guys are inside your network. The proposed solution is, of course, zero trust. However, you do not flip a switch and have a zero-trust network assembled.

Before the world ushers in the panacea of Zero Trust, federal technology leaders must have tools to protect what is going on inside the castle walls. Early attempts Intruder Detection Systems. This approach could generate false positives, needed full-time monitoring, and was expensive.

During today’s interview, Mark Bowling from shares with the audience a concept called Network Detect and Response. They begin with complete network transparency. Through proprietary means, they could gain complete visibility on a network.

Years ago, a federal agency could walk down the hall to see the network; today’s networks are flooded with remote sensors, contractors, new employees, and remote workers. This dynamic nature makes it difficult to draw up a rough diagram, not have a thorough understanding. Even if you did, this network would be changing with virtual systems spinning up and containers adding to the confusion.

Mark Bowling has decades of experience with highly classified documents on highly secure systems. He suggests thorough visibility allows leaders to set up a tiered structure to locate high value assets and protect them first.

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

Traditionally, a threat was detected, and a remediation plan was deployed.  This is classic Endpoint Detect and Response (EDR).  Would that life be that easy.

Today, we have malicious actors using generative Artificial Intelligence to slightly alter code, so it doesn’t resemble previous attacks.  This kind of eliminates the “detection” part of EDR.

This isn’t rare anymore.  In fact, in August of 2023 Deep Instinct did a study where it concluded that there was a significant increase in cybersecurity attacks fueled by generative Artificial Intelligence. Some findings

·       75% increase in attacks last year

·       85% if these attacks are attributed to generative Artificial Intelligence 

During today’s interview, Carl Froggett from Deep Instinct gives an option to run-of-the-mill EDR.  He gives the listeners an overview of how Deep Instinct started. He explains that, originally, they relied on open source for data on attack activity.  However, researchers discovered that open source was not powerful enough.

Deep Instinct decided to develop proprietary ways to look at massive data streams to determine if there were threats.  They started with Artificial Intelligence, moved to Machine Learning, and focused on the algorithm associated with a concept called Deep Learning.  They have had tremendous success.

One determinate of effective threat screening is reducing false positives.  This is a significant problem. In the interview, Carl Froggett suggests that if an organization has 30,000 events a day and just 1% are false positives, this can be a massive drain on work for cyber professionals. 

When your opponent uses Artificial Intelligence then you must respond in kind; learn how Deep Instinct can assist your agency in today’s brave new world.

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

Everyone who has watched everything from Star Wars to Star Trek has never encountered some of the problems we see in space today: collisions and space junk.  It just doesn’t make for a good story on the big screen.

However, the reality is that there will be 30,000 satellites launched before 2030 and we are encountering challenges in what is called situational awareness.  In this application, situational awareness is the concept that a satellite must know where it is heading, and whether other objects in space may be on a collision course.

This is such a complex problem that companies like Kahan Space have had to take advantage of technology like cloud computing and artificial intelligence to make space exploration safe.

Today, we sat down with Araz Feyzi, one of the co-founders of a company called Kahan Space.  The problem that is solved is simple to describe, but incredibly complex to solve space situational awareness.

During the interview, Araz gave a great explanation of the problem. For example, on the high seas, there is international law that has been established if there is an incident.

However, in outer space, there are no rules of engagement.  If a satellite is heading towards an American satellite, there is no law or regulation to tell the satellite operators what to do.

This is such a complicated problem that Kahan Space was launched to enable satellite operators to be able to predict trajectories.  The cloud’s ability to store and compute must be utilized to have a better outcome when there is an incident.

The term Araz uses is the popular “orchestrate.”  Normally used for terrestrial data processing, it is increasingly being used for analysis of complicated satellite patterns. 

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

Today, we have Will Laforest from Confluent explain how federal leaders can harness the power of data streaming.

We all know that data has exploded since the advent of cheap storage, remote computing, and the proliferation of the Internet of Things.   Several lessons have been learned.  First, just because you have petabytes of data doesn’t mean it can help in making decisions; second, if you delay acting on that data you can leave your agency vulnerable.

The Federal Data Strategy recognizes these concepts.

In this interview, Will LaForest unpacks the idea of getting insights on perishable data.  His company, Confluent, was founded in 2014 by engineers who leveraged an open-source project called Kafka to enable systems to absorb data in real-time. 

During the interview, Will provides guidelines on understanding concepts like low coupling, microservices, and data meshes.

The foundational concept is to allow federal agencies to ingest data rapidly and be able to take advantage of the plethora of information to assist in making decisions that need to be made rapidly. 

The best example that Will LaForest gives is threat intelligence.  When a malicious event occurs, time is of the essence.  Rapid response can mitigate any damage that is done by many cybersecurity events.

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

Kenny Rogers once had a popular song where he sand, “There’s time enough for countin’ when the dealin’ is done.”

Well, there was a lot of spending during Covid and now is the time to reflect on how we could have optimized that spend.

In the studio today is Tom Voshell from Coupa.  He will bring a new perspective on how to efficiently allocate resources.  The focus is not on shopping for the best price; the emphasis is to admin that acquisition is a complex process and systems should be administered to make sure the spend is optimized.  

The initial example he gave was the four billion dollars that is spend annually by the GSA on P cards.  When used properly, this spend can result in a 25% savings.  Combine that with properly administered points, this can allow an agency to have funds for much needed equipment or services.   Tom Voshell details the difference between a proactive and a reactive spend.

In another example, if a person in Utah wanted to get landscaping, they may select a company.  Perhaps they did not know there was already in place a negotiated agreement between the federal government and a local landscaping company.

There was no malice intended, but it is possible that the person making the decision had no idea about systems and procedures for getting a job done.

Tom Voshell recommends an approach that is systematic and user friendly.  This is the way to optimize existing funds as well as leverage any benefits from using cards to purchase goods and services.

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

Donald Rumsfeld is famous for saying there are “unknown unknowns.”  Today’s interview with OnSolve takes this concept down a practical road:  once something Is known, how can you quickly inform people of the issue? 

When it comes to the federal government, notifications can range an incredible gamut.  A systems administrator needs to know if a server is malfunctioning in a data center; a FEMA administrator needs up-to-date information on weather conditions; satellite operators need to know if a collision is imminent. 

OnSolve has been helping commercial organizations as well as the federal government since 1998.

Our guest today is Chris Hurst.  He is no stranger to emergencies – he has served in war zones and has been responsible for life-and-death situations. 

During the interview, he articulates a brilliant concept.  Today, the concept of situational awareness seems to be general.  Kind of like, having a balanced diet. 

Chris Hurst takes the next step. He indicates that there is no monolith situational awareness. It should be thought of as a situational awareness that is applied to a specific use case.

Local police feeds must be structured differently from natural disasters. 

Furthermore, Chris gives the listeners a great perspective on how each one of those organizations needs a varying level of depth in notification. 

But is it not just making people aware, OnSolve is attempting to gather sources from hundreds of places to be able to have better learning on the risk side.

Listen for information on how your agency can benefit from understanding the range of options available when you consider risk notification. 

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

Artificial intelligence in software development has been top-of-mind for federal technology leaders once ChatGPT was popularized. This concern is documented in the recent “Request for Information on Open-Source Software Security: Areas of Long-term Focus and Prioritization” which was issued in August of 2023. 

Their concerns include the Secure Open-Source Software Foundation, incentives to secure open-source software, as well as research and development. If you are interested in commenting on this RFI, you may want to review a recent survey by GitLab.

They recently published its 2023 Global DevSecOps Report: The State of AI in Software Development.  They surveyed 1,000 software professionals and asked about concerns ranging from data security to training.   

Today, we will sit for an interview with Bob Stevens, the Vice President of Public Sector from GitLab to focus on this study and where results may be able to be applied to federal agencies.

One curious finding of the study was the fact that software developers spend 75% of their time on concerns that do not include writing code. 

Because software development is changing so fast, 81% of respondents indicated that they needed more training.  

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

If you have ever raised teenagers, you know the phrase, “unintended consequences.”

In today’s world of federal technology, this concept can be applied to data storage.  What are the consequences if you do not thoroughly erase data?  It could be an open door for data leakage. 

For example, what happens when your agency moves data from one cloud to another?  Is it erased?  How do you know? 

Let’s talk about the 500-pound elephant in the room – a cybersecurity event.  Today’s malicious actors have been known to place trojan horses in other areas of a system.  The concept of data sanitization is a concern for many federal leaders.

Ok.  We know we have standards for data erasure.  Civilian agencies have heard of NIST 800-88 and the folks at the Pentagon know DoD 5220-22 M/M ECE.  That is all well and good if applied properly. 

Many breaches occur because of human error; the same humans are tasked with applying these procedures for data sanitization. 

Maurice Uenuma from Blancco gives a great overview of some of the problems with effectively administering data erasure.  He brings up some issues that you may not have considered:

In a world of feds at the edge, what happens to data stored on remote devices?

How to automate erasure to make it compliant and secure

End-of-life cycle issues apply to software development and hardware as well.

Scalable storage is great – what happens to the dynamic elements of data storage?

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com

It is always nice to occasionally get out of the trenches to look at the larger issues. Today, we sat down with Michael Mestrovich from Rubrik. He has decades of experience in three letter agencies and has a perspective that is hard to match when it comes to getting a handle on current trends in cybersecurity.

Michael gives a quick review of current trends in cybersecurity legislation. He notes that many have overlooked something as simple as the Internet of Things. IoT is projected to have as many as 30.9 billion endpoints by 2025.

Much of this technology is quickly placed without proper understanding of vulnerabilities. He suggests that much of it is in a deploy-and-forget type of implementation. This casual approach can drastically increase the attack surface for a federal agency.

Michael moves on to some of the current threats that are facing federal technology leaders. In order to get a grasp on what is prevalent, it is possible that people in the intelligence community may struggle with sharing information on threats.

When it comes to Artificial Intelligence, Michael thinks that it can have a positive impact on security when used in areas like automation.

Resilience is a term that is popular among leaders at the DoD; but it has application on civilian agencies as well. Rubrik has proved itself over the years in knowing how to gain visibility into a network and then having the ability to create immutable backups that are a good strategy at preventing malicious actors from planting code in backup copies.

Follow John Gilroy on Twitter @RayGilray

Follow John Gilroy on LinkedIn  https://www.linkedin.com/in/john-gilroy/

Listen to past episodes of Federal Tech Podcast  www.federaltechpodcast.com