Episode 23 | Discussion with Jared Shepard from Hypori

Kevin Long: Broadcasting from Fairfax, Virginia, you are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Hello everybody and welcome to another episode of the Highlight Cast. Hi, I’m Adam McNair from Highlight. Happy to be talking with all of you again. Joined as always with Kevin Long. Kevin, how are you? 

Kevin Long: I’m doing great. How about yourself? 

Adam McNair: Oh, great. I got the opportunity to go to the ACT IAC ELC conference earlier this week, the Imagined Nation that they hold up in Hershey, Pennsylvania, so I’m getting back into the office day here and also was really surprised to see the number of people. That’s a conference that we held some virtual and some in person. Last year and a few of us went and it was certainly odd at the time and a lot of people and so I would estimate there I think they said there was something like 970 people and it used to top out at like 700 in some venues so it was really a well attended event and frankly the driving back Fourth to Hershey is much nicer than an interstate 95 corridor drive. So, 

Kevin Long: and so, so much easier than heading out to the eastern shore where it used to be. 

Adam McNair: Yes, right. So all of those, this was way easier. No bay bridge, none of that. So, so happy to get back. And, you know, as we, as I was at ELC, there were a lot of different conversations about both government initiatives and tools. I mean, things like CMMC came up, things like, of course, DevSecOps and software factories. And another thing that, Was device management and that’s that’s moved around along, you know, a lot over the years from why do people need a phone hook to the email system or whatever to, you know, we’ve we’ve we’re approaching the point where whatever somebody uses is just an end point, which is, Really exciting for us to be able to be, uh, to be joined today by Jared Shepard, who’s the president CEO of Hypori. So, Jared, I’ve been around in point management and, and so forth, and I know talking with, with Kevin, I’m excited to get you on the podcast today. What I understand is that you all have a real growing adoption rate in the DOD sector. But would you give us a kind of an overview of what you guys really, where your niche is in all of this technology ecosystem?

Jared Shepard: Yeah, sure. And, and, you know, Adam, Kevin, it’s good to meet you guys. And I appreciate you guys, you know, asking me to come on and talk a little bit. And it’s funny, you talk about endpoint management, so I’m not endpoint management. I’m an endpoint, but virtualized endpoint, right? So what is Hypori? Hypori is, is technically a secure Linux operating system, ultimately the AOSP, Android Open Source operating system, wrapped around a whole bunch of security protocols, and then a way in which we can deliver it to any edge device. And if you think about like the implications of that, what that means is rather than, you know, we joked earlier about the idea of zero trust, right? You know, zero trust is that new buzzword that everybody throws out there. It was kind of like, well, the old cloud, everybody likes to use it in a sentence. Nobody really knows what it means. If you look at the academic definition of, of what zero trust kind of is and its idea, In there, I think the most common accepted version. There’s five pillars in zero trust. One of those pillars is called edge. We solve for edge and it’s by taking the opposite approach to endpoint management. We don’t manage the endpoint. We instead, we assume every physical endpoint is an aggressor device, and so we don’t trust it. And what we do is we enable that VM, that virtual machine, Hypori, to stream encrypted change pixels to an edge device that write over themselves, right? So only change pixels, not full screen scrapes, but only change pixels to an edge device that write over themselves. And then collect telemetry, i. e. touch, type, swipe, that kind of thing, uh, hash, and then encrypt that and send it back into your secure environment, whether that’s cloud or on prem, and translate that into an action. So, so what does that mean, right? Okay, I’m not MDM, uh, uh, and nor am I VDI. Um, an actual autonomous Android operating system, so a mobile operating system that we spent a lot of time trying to figure out how to trick it into thinking that it’s native on any edge device that accesses it. So, you know, what Gartner said was, you know, hey, congratulations, you guys are your own category. You don’t really have any peers. Oh, hey, by the way, we’re really sorry to tell you. You guys are your own category. You don’t really have any peers and I didn’t understand the humor of that until I figured out that when you are in your own product category and that you’re first to market with a really new concept, you spend half your time trying to explain to the customer what you actually are because they end up being so embedded in the ideas of like what you said and point management, you know, that kind of a thing. So what we really are is we’re a secure streaming operating system accessible from any edge device. That’s zero trust in nature in that we assume the edge device is an aggressor device, so we don’t trust it. As a security play, we thought that was where our cat’s meow was, right? We were going to be this killer security platform that, that isolates data and enables you to access it. And what we figured out is there’s another side of the coin. Um, and this was by accident. The other side of the coin is privacy. And it’s, it’s not only, am I a secure mechanism that you can access information, but I don’t want visibility or access to the end point that is doing it, which means that your users can actually maintain a hundred percent of their privacy while accessing information from a secure enterprise. And there’s no chance of, of corruption, loss of information, intercepts, download, et cetera. 

Kevin Long: And since you’re only doing change pixels, nothing sits on the end device. 

Jared Shepard: Correct. Yep. It’s, it’s the change pixels are riding over themselves constantly. The telemetry is hashed and encrypted and sent in and translated into an action and it’s asynchronous. So the beauty of why that’s important is when it’s asynchronous, it means that you couldn’t run a keystroke logger or anything else like that because you’d have nothing to tie it to. You couldn’t tie it to an image.

Adam McNair: So that’s fascinating. I will tell you, I’ve, I spent years with different customers trying to solve the bring your own device, mobile device. And there were always all of those issues you’re talking about, because first off, if it is a trusted device that’s a government device, you have all of these issues of, well, what if somebody loses it? How do we have encryption of the data going to the device and then encryption on all the data at rest on the device? And I was part of a program one time where we wanted to make sure that these devices, they would travel with government and contractor users around the domestic US, but it was really important to us for a lot of reasons that if it ever left the continental United States that it couldn’t be used. So we had all kinds of complex geofencing that was built so that if they ever drove across the Canadian border, the device would start to wipe itself. But then you ask yourself all these questions. What if somebody is being malicious and they put it in a Faraday case? Drop it in a Faraday bag. Yeah. Drop it in a Faraday bag and all of a sudden you can’t do that anymore. And so then you said, okay, well, what if we have it so every time it goes into some something like that and loses its signal that it wipes. Well, They go through a train tunnel, we don’t want their device to wipe, so, and the complexity of those conversations would, I mean, we’re talking about months of planning and discussion and trying things, and then, the other side, when you would get user owned devices, and they get very touchy, understandably, very touchy about what are you putting on my device? This thing sits on my device, and you’d have some customers that would say, okay, well, if you’re going to use it for our enterprise, we’re going to take your entire device over. And I don’t want you to encrypt all my own data. 

Kevin Long: We get to wipe your device when, when you leave the organization, 

Jared Shepard: right? Oh, well, I mean, you know, and fascinating. One of the things that’s just come out of this, again, we started out as a cyber platform, right? But what’s come out of this though, from a privacy standpoint, it is something that we hadn’t anticipated. And the army and the army national guard really looked at this at depth, which is the liability piece. So look at a BYOD case, you know, for the army or for the national guard. I’m going to allow Sergeant Snuffy to access Nippernet, okay, from his own device. So my choices are using like an MDM, so Endpoint Management, right, or a platform like mine. Well, the problem with an Endpoint Management of any kind, MDM of any kind, it doesn’t matter which brand you’re thinking of, is that it has specific visibilities into the platform. Now, of course, MDM guys will say, No, you can isolate that. We don’t want to see what’s going on in their phone. Well, you say that right up until Sergeant Snuffy surfs the wrong website. And gets malware from that website. And when that malware then acts against the security container, the MDM will then report that. So now you have this paradigm problem where you have, Hey, I have an end point user who Sergeant snuffy just flagged for maybe a malicious code, and maybe it’s known malicious code that’s associated with an illegal activity of some kind. Kitty porn, something else like that, right? So now you legally as a government organization, have an obligation to do an investigation into something that you had no constitutional right to have access to in the first place. That’s just a liability that nobody wants. I don’t want to know what Sergeant Snuffy is doing on his phone in his own time. Sergeant Snuffy doesn’t want the army to know what he’s doing on his phone in his own time. But I still need to empower Sergeant Snuffy to have access to an official communications channel.

Adam McNair: Well, and another unintended effect and kind of time sink that I’ve seen is, you know, like you’re talking about that responsibility once you as as the government have that information. or as their contractor. It is your responsibility to look at it. You can’t just say we had this data that was reported to us and then something happened six months later and you say, well, we don’t look at those logs.

Jared Shepard: Well, you know, in fact, it’s actually changed. So now you don’t have that choice anymore. So if you look at the Cybersecurity Act of 2022 that just passed, the Cybersecurity Act of 2022 says any managed endpoint Which is both, you know, BYOD or government that is, is compromised with malware must be reported all the way up to CISA. So now if you’re, you know, a defense industrial based customer, like a Boeing, Lockheed, Northrop, booze, whoever, right. Do you really want to report that one of your employees had their device compromised from, uh, a bad actor software because they were browsing the wrong kind of website. You want to report that to CISA? Nobody wants that. 

Adam McNair: Now, and you’re right. We are put in those situations. I mean, Kevin and I had been in spots before where, you know, just because somebody had what was clearly, we believed an innocent, unintended issue with a device that got compromised and we’re having to tell them, and we’re and all the way up chain that there was a compromised device, it does put you in a negative spot. So there’s another aspect of that. As we were having conversations about CMMC at Highlight and we were preparing for it and we were gearing up for it. One of the most challenging conversations that we had was we had an MDM in place already. And. We overlaid the CMMC requirements over top of the MDM features that we had, and that Venn diagram was impossible to complete. Every time we would look at a tool that we had, or a tool that we could buy, because what we were hoping for was from both a cost and simplicity of architecture and everything else, we just wanted to have one tool. Plus, you know, there’s also some aspects that when you start to lay a bunch of different security tools over top of each other, one of them can’t tell what the other one is doing, and it, you know, you can actually end up kind of a mess that way. But, so we wanted to end up with one MDM, and we were having really difficult times finding something that was appropriate for the scale of our organization that was compatible with the other tools that we already had, that wouldn’t require us to rip a whole bunch of stuff out, And that also wasn’t going to be the world’s most complex cobbled together. Okay. Well, what does this tool do? It only does this little log aggregation. That’s all it does. And we have this extra thing. 

Kevin Long: Impossible to manage or impossible to do work with. 

Adam McNair: Yeah. Right. And, and also some pretty significant potential for like really bad user experience. You know, uh, you know, welcome to Highlight. Here’s your mobile device. Install these 14 apps and just log into these. things. And some of these logins are unique and they expire every, every, you know, 30 days. But what I’m hearing is that CMC issue is a huge one because the defense industrial base, the conversations, as I was sitting on the advisory board at one point, when I first heard about CMC, I’m like, yeah, we’re a defense contractor. We need to be able to support this. And we’d be on some of these calls and there’d be a company that says, look, I make rivets. I make rivets for various airplanes and DoD buys some of them, like, because I’m used to the idea that we have all this data and we’re used to data security and all of these kinds of things. Not that we are a manufacturer or, you know, somebody that decided to sell some tires to DoD and now all of a sudden I’m, you know, a supplier under those terms and need to, you know, safeguard data. So it sounds like Hypori is A potential way that you don’t have to deal with any of that. I mean, is that 

Jared Shepard: basically the way your construct works? Well, I, I, I wish I could say it was that easy of a big magic wand. Right. So let me unpack what you just said a little bit. So one is, you know, MDM has its place in infrastructures, right? And I’m definitely not saying I’m the replacement for MDM, I’m an alternative when you talk about BYOD to MDM on an endpoint. But like, if you’re an MDM shop already and you’ve deployed for instance, like Microsoft Intune and you’re using it. Because it’s integrated with all the rest of your Active Directory tool sets, et cetera. And that’s good for you. Great. Deploy inside of Hyperi and manage the virtual device rather than managing the physical end point. Right. So if you start to think about MDM really was, it didn’t start out as a security tool. It started out as an inventory management tool. And if you need that in your enterprise, it’s still a very strong tool to use. But now you look across the defense industrial base, you know, what you’re talking about, like people who have to be CMMC 2. 0 compliant, look at the problem set of how do I get access to GCC high and how do I protect that? And you know, how do I meet all the CMMC 2. 0 requirements? One of the fascinating things like is people say, well, MDM. Okay. So who are the largest MDM providers right now in the DOD? MobileIron, AirWatch, and Microsoft Intune, right? Okay, so do you know who all Microsoft Federal uses for BYOD? The reason for that isn’t because I’m I’m better or worse than Intune. I’m not Intune. I’m not. I’m not an endpoint management platform, right? Which is what MDM is. The reason for that is, is because Microsoft is faced with the problem that Microsoft Federal is faced with the problem, specifically that the rest of the defense industrial base is largely faced with two, especially the larger guys, the Boeing’s, the Accenture’s, the Lockheed’s. Is that they have more than one security environment that their employee needs access to an MDM can only actually manage one security environment on an endpoint. So now think about that. Why is that important? Well, because the employee of Boeing has to have access to boeing. com and boeing. gov or dot us, right? So they need to have access to both their HR side of the house, which is big corporate headquarters. And then they need to have access to GCC high for government customer related activities. How do you do that from one endpoint? Well, I mean, MDM can only address one of those two, it can’t address both. We can address both, and we can enable you to not have to issue an additional phone for GCCi and manage an additional entire endpoint management platform, right, etc. So, again, like, having Microsoft, you know, being a user and consumer of Hyperi kind of goes to show that I’m not a competitor to MDM, nor am I MDM, nor do I, do I propose to be. I’m an alternative solution to, to the way in which, from a Zero Trust standpoint, you treat endpoints. 

Adam McNair: I see a lot of tools that, MDMs are the same as kind of all the different families of tools. It’s very common that whatever they started as, And evolved to they’re always better at whatever they started at Than all of the other things that have been added on and so, you know, you’re right I’ve seen a lot of times what was really asset management or patch management Was kind of the core that then said like we’re just going to manage all these endpoints with this thing And 

Jared Shepard: remember that that’s what cyber security started out as as policy and ultimately software management, you know patch management 

Adam McNair: Right. We’re only going to deploy locked down versions, and we ought to at least have an inventory so we know 

Jared Shepard: what we have. And that’s where I challenge also, too, the idea, we talked about Zero Trust and ZTA, right? I challenge the idea of Zero Trust in that you can’t tell me that you’re a Zero Trust platform if the first step of being Zero Trust is you have to control the endpoint. Because controlling the endpoint implies trust. Control the word itself in control implies trust, right? So if you’re truly a zero trust platform, you should allow any endpoints to have access to your environment and you have to validate who they are, are they accessing from a known device? Are they accessing information that’s relevant to them? Right. You know, so it’s this multiple layer of reaffirming, not trusting, but reaffirming you are who you are. You’re accessing from a device you’re supposed to be accessing from. You’re getting to the data you’re supposed to be getting to. Okay. You’re only doing what you’re supposed to be doing with that data. And so, you know, what we focus on is making sure that that endpoint does not present a challenge or a break in the chain of zero trust. You know, 

Adam McNair: what you’ve deployed at a high level. I know you mentioned the Army and you’ve mentioned the Guard and the Reserves. What’s the superstar use case that brought this up?

Jared Shepard: I mean, we have a lot, but I would say that how we started really in the Fed, um, was actually a very, unique use case in a very unique customer set. But but where it grew to is is the NSA has a program called commercial solutions for classified or CSFC. Um, we are, I believe now the largest NSA CSFC deployed platform in the Department of Defense as well. So, you know, for instance, U. S. SOCOM uses us at scale and other organizations uses at scale for mobile access to classified. Now that is not BYOD to classified. I don’t think there ever will be a BYOD for classified. I hope there isn’t. So that’s a managed GFE endpoint that then can following the NSA’s guidance, certain protocols get access to a classified network. You can use HyPORI for that. We are one of the authorized vendors for that. And I think the, one of the largest deployed vendors for that out there. And of course, why the NSA likes us for that purpose. Is the no data in transit, no data at rest from same reason why now you look at the army, what the army is looking at it for. And they’re in the process of deploying 20, their first 20, 000 users. And then going to scale. If you listen to Mr. McNeil, who was, you know, at the National Guard Bureau, one of our, our biggest advocates, uh, uh, you know, he pushed really, really hard for this as a guard solution, because remember we talked about, you know, the defense industrial base and. You know what happens if you need access to dot com and dot U. S. Well, think about that from a guardsman standpoint or reservist standpoint who has a day job and that day job may require that he has an M. D. M. On his phone, right? Well, then how does he access the nipper net to do his guard work on the weekends or, you know, during during drill time? If he already has an MDM on his device, you can’t have two, you can’t have two security containers, right? So Hypori solves that for the garden reserve or what they call COMPO2, COMPO3. Um, it solves it for that side of the house at massive scale. It gives people who, who would normally have to drive 30 minutes into an armory to get access to Nippernet just to do basic NCERs or OERs and that kind of thing. It gives them access and the ability to be way more productive in a more convenient way at scale. And then the Army, of course, you know, with which, you know, led by Dr. Iyer and General Morrison, that, you know, G6 of the Army and the CIO of the Army, you know, they’ve looked at this as an opportunity, uh, to also improve efficiencies across the Army, improve access out at scale, uh, reduce maybe the actual physical infrastructure requirements that are actually on NIPRNet because, you know, does NIPRNet really need to be this all expansive, all camp, post and station encompassing thing, or does it become an access platform that you do CUI and unclassified based information, right? And and the reason why we’re really looked at not only we have CSFC platform, but we talk about your PKI certificate in that cap card is a CUI certificate. Which means if you’re using an endpoint management platform of any kind, you’re storing a CUI certificate on an uncontrolled endpoint. And that becomes problematic, right? So, so we solved that because we use a corporate certificate on the external side of the tunnel. You actually would resolve against your personal PKI certificate inside the VM. Which means there is no CUI certificates ever in transit or at rest, public or private key, uh, in our solutions. So it offers a lot of ways to solve problems for the Army on the unclassified side of the house, both the Army, the Army Guard, Army Reserve. I’d also argue the other components as well, and hopefully some of them are going to participate in this pilot with us, uh, as well.

Adam McNair: So that makes a tremendous amount of sense. The idea of anytime you have somebody that is a periodic Or part time, you know, when I think about all the customers we’ve supported over the years, uh, FEMA, when there are disasters and you’re going to get a bunch of different people that might be from everywhere. I mean, you get state, you get local, you get all kinds of groups. I’ve done a lot of DHS work in the past where one of the biggest challenges was. You have something at the DHS level that is classified and maybe it’s secret, maybe it’s lower than that, but state and local doesn’t have that kind of clearance. And so you can’t give them a device that they can put that information on. So those kinds of use cases that we pretty much just had to say, well, We’re going to have to throw people at this. We’re going to have to have 

Jared Shepard: people sit down and buy more infrastructure and build more infrastructure, right? You know, and you’re actually speaking to, you know, part of our larger public sector sales approach is like, look at that FEMA, that use case, that perfect use case, right? Okay. A hurricane hits FEMA shows up. Well, who else shows up? Well, the army may, the army may show up for a red cross shows up. National guard may show up state and local shows up. Volunteers show up other governmental organizations, but you have potentially show up, you know, it becomes a nightmare of collaboration. Right. And historically, like FEMA literally shows up with transit cases, full of radios to hand out. Right. And they try to figure out how do we truncate from radio system A to radio system B, and how do we talk to state patrol versus how do we talk to the national guard? This is a problem set they’ve always had right across the board. Well, do you know what every single one of those people have?

Adam McNair: Smartphone their own smartphone right 

Jared Shepard: now. Imagine if in an emergency environment that you could stand up a provisional cell phone network or if the native cell phone network works, all you had to do is send out an encrypted certificate ultimately to the end point that you would actually scan and all of a sudden, you know, QR code. That was a, that was a word I was looking for. You send out an encrypted QR code to anybody who you want to participate. They download the app and their provision. Now they’re in your environment. They’re securely command and controlling within your environment and they have visibility of each other. They can securely share information and pass information between each other. But Oh, by the way, when it’s, when the exercise is done or when the event is done and you deprovision everybody. They’ve never been in possession of the data, which means there’s no loss of HIPAA. There’s no loss of PII. There’s no loss of government sensitive information, TTPs, everything else like that, right? Because you’ve contained that all within the enterprise environment that simply was just managed in cloud or, you know, in some of our customer use cases in a vehicle mounted a rack where they have a deployable, you know, platform. 

Adam McNair: I’m thinking about so many times where we had those kinds of challenges. I’ve also done a lot of inspection type programs where we were building the apps for inspections and inspectors are going out and whether it’s food facilities, whether it’s mines, whether it’s national parks, there’s all kinds of Inspectors that go out and it’s a pretty common use case for the government. You know, if you need to have somebody go through and inspect a zillion miles of road for the National Park Service, that’s exactly the kind of thing where they will go out and say, look, we’re going to go hire somebody for, you know, 300 hours, and they’re going to go out and do this and send a report in and The amount of infrastructure that it took to provision devices and send them to those people and FedEx them to their house. And then when it’s lost or it’s broken, now it’s off schedule because now they can’t get a different one. And now we have to reprovision and everybody that gets something like that seems to either forget to return it or they lose it Where it got dropped and broken and 

Jared Shepard: well, and remember guys, this isn’t a problem unique to the government, right? The commercial world faces this too. Like look at the sec has dealt, doled out like, you know, over 10 billion in fines, but that may be overstated. It may be over, I think it’s like one and a half billion in fines to banks, you know, because of sec violations during, during COVID all of a sudden people were texting their, their customers. Financially sensitive information in a non logged environment, right? Well, so, so now you got, you got regulated healthcare, regulated healthcare, same problem HIPAA. I mean, HIPAA is chomping at the bit to go after some of these healthcare providers over COVID who have essentially just disregarded HIPAA regulations on protecting information, you know, patient information. You know, anywhere that you are interested in protecting information sets, data sets, you know, heck the special Olympics selected us because they thought they were going into Russia to do the next special Olympics. Well, why is that a problem? Do I mean, we probably don’t have to say that for this audience, right? But, but of course the worst thing that could ever happen is, you know, at the finals of the special Olympics, all of a sudden the data becomes ransomed. And if you want to finish the Olympics, you’re going to have to pay a 10 million ransom to get your data back. That’s like a nightmare scenario for that kind of environment, right? So they had already selected us as their entire mobile platform for that as well. And it all comes back to data at rest, data in transit. How do I allow a zero trust environment that I assume the endpoint is potentially an aggressor platform? Either malicious, like knowingly or unknowingly by the endpoint user, you know, how do I enable that to interact with my environment in a safe and secure way?

Adam McNair: So what’s next for your platform and your tool set? Are you focusing on just continuing to expand and take this to additional customers and additional markets? Or is there, is there some next, you know, big leap? But it sounds like, I mean, the capability that you have sounds truly next generation kind of thinking. So is what’s next? Just continuing to take this to organizations that don’t realize how much. They don’t realize how much easier some of these, you know, these challenges they’re facing and having to throw people and infrastructure at could be.

Jared Shepard: So, you know, the BYOD problem set is obviously that’s where we’re attacking right now, because we think we’re a completely new solution. We don’t really believe we have any pure technologies out there that do what we do. And it’s a new approach to a very old idea, right? That the beauty of this is the simplicity of it. If you think about it. What we’ve done is we go back to the mainframe days. We essentially just created the ability to for you to have an unlimited amount of dumb terminals on the edge that can interact with data but don’t actually present any risk to the data. But why is that evolutionary for us? And why do we know? What do we think that what’s next is, right? I do believe I’m going to grow and scale and take over most regulated data space when it comes to endpoint BYOD access, that kind of thing. But bigger than that, I think we can have a new conversation about how endpoint works as a whole. So when I say that is like if I show you Hypori running in a high performance cloud environment right now, that operating system, if we did a bandwidth test, will pass four to six gigs of bandwidth, gigs. To an endpoint that has a 3G connection or a 4G connection or a wifi connection, right? Because remember, the operating system isn’t actually on the endpoint, it’s on the backbone of the data fabric, right? Oh, by the way, that’s also the same for processing course. So if, if you, if you have a handset in your hand, one of the, you’ll say like for instance, this is the I, I carry the Samsung S 22 Ultra, right? It’s a great phone, one of the highest performing phones on the market right now. But if you run a benchmark against Hypori running in a high performance cloud environment, I’ll beat that phone by 40%. So you start to think about what are the implications of that? What if you could get to Hypori from a television, from your 72 inch TV? How many PCs do you have in your house, right? What if you could get to it from your 72 inch TV? app, have a Bluetooth keyboard and mouse, and now you have a faster performing computer than what you could go buy from Best Buy.

Adam McNair: I didn’t even consider the speed aspect of it. I mean, 

Kevin Long: yeah, more secure, more secure and processed in the cloud where you have. Unlimited vertical and horizontal scaling of processing.

Jared Shepard: We literally joke. We say, hey, look, I’m putting the power of cloud in your hand, right? You know, because if you start to think about that as the technology advances, you know, we’re going to, we’re moving more towards a Kubernetes base and container lists, you know, serverless data platform, etc. But could you imagine an environment in cloud where I could dynamically apply resources against your need for an incremental period of time? Right? So for instance, you do something really heavy. I throw 32 processing cores against you and 32 gigs of RAM against it. And, and then the minute that that requirement is done, you know, a couple of seconds later, I, I, I, I down provision you back down to a handful of processors again.

Kevin Long: And the only thing that you ever see on your handset is the pixel change. That’s all. 

Jared Shepard: Well, so you look at like what was required for technology like this to become relevant. A couple of things. One was this technology has been around for a while, right? You know, so, okay, so why didn’t it take off four years ago or five years ago? Well, a couple of things had to change. One of them was an event, right? One of the biggest events of our lives is COVID, right? Because pre COVID, If you had walked into the government or walked into a major bank or anything else like that and said, Hey, how are you going to allow 80 percent of your workforce to work from home? You’d have been laughed out of the room. 

Kevin Long: Right, right. Yeah. We’ll let them work from this cubicle. It’s fine. 

Jared Shepard: Yeah. Today it’s a very different conversation, right? We now understand the reality of having to empower people to work remotely. There were also the evolution of two technologies were really necessary to make this work and work as, as effectively in that scale as it does too, which was, and they both kind of came together at the same time, which is a perfect storm for us. One was Cloud, right? The actual literal ability for cloud to mature, it became to its mature stamps to a point that it is today, where you can apply, like you said, unlimited resources vertically or horizontally, you know, in a cloud environment and be able to do so dynamically. And when you think about the way people use a mobile device, that incremental compute, you know, that I use it for a little while, then I don’t use it.

That’s perfect for cloud, right? Nobody. You know, you put it in your own data center, something that you’re gonna run 24 hours a day, seven days a week, but that’s not what we use mobile operating systems for or even a desktop operating system for, right? Um, so cloud is beautiful for that. The other thing that was required is, well, five G, the idea of a high bandwidth, but less less important about bandwidth. More about latency, a low latency access network that’s accessible from anywhere. Because, you know, in the end, the enemy of all virtualization is latency and dirty networks, right? But so in an environment that has very, very low latency with unlimited resources in cloud, all of a sudden we could change the way edge compute is considered.

Kevin Long: mean, low latency, but also, I mean, You don’t need 5G bandwidth for that because you’re not sending, I mean, 3G bandwidth works for you. The beauty of 5G for us is less 

Jared Shepard: about the bandwidth, it’s more about the low latency. latency. 

Adam McNair: Yeah. And that was always what would happen is if anybody was going to, when you tried to do something virtualized like that, whether it was virtual desktop or any of the, you know, those kind of tools, as soon as there’s latency, then your customers go like, I This thing, and, and I’ve tried to use some things before, where you, you felt like you were, it’s like the old Apollo 13 stuff, where you were typing and then all, 

Jared Shepard: yeah, 

Adam McNair: yeah, yeah, well, it’s fascinating and exciting to have something that is truly without category. I mean, because it usually, I think, means there, there, there was a point where. This cloud thing wasn’t a category because best data center solution was the category. Yeah, originally 

Jared Shepard: it was called outsourced data centers, right? Yeah. Right, right. 

Adam McNair: Um, so I mean, that’s really fascinating. Congratulations on, on what you guys have, have built. If somebody wants more information, they’re interested in it and they’d like to talk to you, what’s the best way to get in touch with you guys? 

Jared Shepard: Sure. I mean, you know, just like everybody else would go to our website, which is, you know, www. hypori. com, which is H Y P O R I. com. You can find us on LinkedIn. You can find us, you know, any number of mechanisms and social media, et cetera. And, you know, we got a great team. You know, we are, we are still a small business, right? We’re a better known business, but we’re growing rapidly. We’re building out our capabilities. We’re looking for great partners. We’re looking for great customers. We’re looking for great ideas. So, you know, just reach out to us. You want to see what we’re doing? You want to try it out? You don’t believe us. You want to throw the BS flag on me. You can do that. And then once we show it to you, you can then become a, an advocate and go and advocate for us out there.

Adam McNair: Fantastic. Thank you so much. This has been a fantastic conversation. And it really is, you know, these are the parts of technology where you see broad reaching impact that are positive and bring security and apply that to the use cases in the government where it is going to save lives or. It’s, it’s going to allow better disaster response. There’s so many things, you know, it’s going to avoid data leaks and security problems. There, there’s so many positive things. It gets really exciting, uh, you know, for somebody like me who has just always worked federal government. Yeah. 

Jared Shepard: We’ve been really excited. I mean, you know, again, having leadership that is willing to be a change agent because change is difficult. It’s, it’s not human nature. Everybody resists it. But having guys like Dr. Eyre, like Ken McNeil, General Morrison, who are really willing to take some risk and push out change has been pivotal for us. 

Adam McNair: Fantastic. So, look, thanks again for joining us. Thanks, everybody, for listening to the Highlight Cast. You can keep up to date with Highlight, our news and activities. Follow us on LinkedIn or our website, HighlightTech. com. On a weekly basis, I’ll, I usually have some content going out off of LinkedIn for topics of relevance to the GovCon community. Tune in again for our next episode, we will, you can watch our LinkedIn for when that’ll be posted. Uh, thanks again to Jared Shepard from Hyperi, thanks again Kevin, thanks so much and we’ll see you next time.

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect highlight technologies and or any agency of the U. S. government.

Monitoring of Section 508 Compliance by Federal Agencies Likely to Increase

Pressure may soon increase on Federal agencies that have failed to meet Section 508 compliance regulations. As part of a 1998 amendment to the Rehabilitation Act of 1973, Section 508 requires that all Federal electronic information and data be accessible to all users regardless of abilities. Legislators want to see more proof that government organizations are following the law, now in its 25th year.

It has been 10 years since the Department of Justice (DOJ) surveyed and produced a report on agency response and compliance with Section 508. A bipartisan group of Senators, led by Sen. Bob Casey (D-Pa.), call for a new report to be made, as mandated by Congress. The DOJ and the Government Accountability Office (GAO) are working on a response.

Sen. Casey, chair of the Special Committee on Aging, leads the charge “to bring some sunlight onto 508 agency efforts,” reports the Federal News Network. “The Biden administration’s clarion call for diversity, equity, inclusion, and accessibility (DEI&A) is ringing hollow unless agencies do more to show and tell how they are meeting both the spirit and intent of Section 508,” writes Executive Editor Jason Miller.

A Mixed Bag of Results

A new report from the DOJ will find that Federal agency progress remains slow to comply with Section 508, experts say. Quoted in a story by POLITICO, George Towne, chair and CEO of Access Ready, a disability rights advocacy organization, said that Federal agencies are hindered by “a flawed process.” The Federal government remains behind the curve, Towne said.

The last DOJ report on Section 508, released in 2012, found that nearly 60 percent of agencies reported not providing Section 508 training to employees. “Lack of resources” (58 percent) was identified as the top challenge in implementing and complying with Section 508, followed by “Lack of general awareness” (50 percent), and “Lack of or inadequate training” (43 percent).

Compliance gaps remain. In a 2021 Section 508 compliance study, the Information Technology and Innovation Foundation (ITIF) conducted tests of the top three visited pages of popular Federal websites. Of the 72 websites tested, 48 percent failed the accessibility test. As you drill down, deeper into sub-pages and content links, compliance is likely to be worse.

The Cost of Non-Conformance

Section 508 is broad. It applies to nearly all forms of modern communications: websites, applications, videos, PDFs, Word documents, email, graphics, data tables, color choices, contrast, and much more. But while good-intentioned, Section 508 is often difficult to comprehend and follow. The law, for example, does not prescribe the testing tools that should be used or processes to follow. Policy and enforcement vary. Resources aren’t available for adding the number of 508 specialists needed to help. What we see are differing interpretations of the standard and a wide range of approaches – sometimes within agencies and even within departments. Deadlines often determine how much attention 508 compliance gets.

The result is non-conformance, which can be costly in terms of money and time.

“Section 508 provides remedies to those aggrieved by violations of [Section 508] through the long-standing Rehabilitation Act provisions, found in Section 505, which, after administrative remedies are exhausted, allow for both private rights of action in court and for reasonable [attorney’s fees],” according to the American Foundation for the Blind (AFB). For agencies, this can mean mounting legal fees, time spent on mediation, and an unexpected shift in project priorities.

Such cases are “only a representative sample of the inaccessible experiences of thousands of blind Americans,” said Anil Lewis, an executive director at the National Federation of the Blind (NFB), in testimony to the Special Committee on Aging. “This statute, with the promise of creating so many opportunities for people with disabilities, is failing due to a lack of proper implementation and enforcement, and in many instances, this makes it even more difficult for people with disabilities to access information and services than before.”

The NFB serves as an advocate and resource for many of the legal actions and settlements, including a 2019 suit against the U.S. Department of Agriculture (Clark v. Perdue Complaint) and a 2021 settlement agreement involving the U.S. Department of Veterans Affairs (McDuffie v. McDonough Settlement Agreement).

Perhaps the costliest result of a Section 508 complaint is that it forces an agency to make retroactive changes, which requires considerable reformatting and effort. As Highlight 508 specialists remind me daily, the job is easier if you start, from the beginning, with 508-accessible templates and base documents and project management strategies that incorporate 508 recommendations and testing.

The Road to Inclusivity

On a macro level, the 2012 DOJ report provides guidance on ways agencies can establish a culture of 508 conformance, including:

  • Establish Section 508 Policies and Procedures (DOJ found that just over 50 percent of agencies had Section 508 policies).
  • Appoint Coordinators and Establish Section 508 Offices or Programs (70 percent had a coordinator, but only 35 percent had established a Section 508 office or program).
  • Provide More Training to Agency Personnel (Only 40 percent provided training).

At the task level, there are hundreds of government and non-government resources on how to make and test digital content for 508 compliance. But be warned. The guidance can become quickly overwhelming. Highlight urges its clients to ensure compliance throughout the content development lifecycle, starting with compliant templates, baking in project time for compliance checks, and having content tested and reviewed by one of our 508 specialists.

While the legal ramifications of not complying with 508 standards are reasons enough for agency concern, it is also the right thing to do. Access is vitally important to everyone.

“Accessibility, the ‘A’ in DEIA, is a foundation on which the federal workforce must build diversity, equity and inclusion for people with disabilities,” according to the U.S. General Services Administration’s Section508.gov site, which has information on content creation, testing tools, training, and special events. “Without accessibility, we cannot truly achieve the others.”

Here are a few more resources:

U.S. Access Board, which develops and maintains 508 standards

Guidance on effective alt text from Microsoft

WCAG Color Contrast Checker

Web Content Accessibility from W3C

WAVE web accessibility evaluation tool from WebAIM.org

Section 508 Checklist from WebAIM.org