Category: Podcasts

Announcement: Broadcasting from Fairfax, Virginia, you are now listening to the highlight cast.

Victoria Kruemmer: Hello, and welcome back to the highlight cast in the new year, 2023. We’re excited to start the new year with a new group of folks on the show. My name is Victoria Kruemmer , the marketing manager here at highlight. We’re also joined by Emily Scantlebury, our director of corporate portfolio development from our business development team.

Welcome Emily, and happy to have you on today. 

Emilie Scantlebury: Hey, Victoria. Happy to be here. Thanks for having me. 

Victoria Kruemmer: Of course. Even more excited, we have Joe Salgado from the Red Team Consulting joining us today on the show. Joe is the GWAC and IDIQ General Manager supporting teams, um, not only to bid on these, but also win slots after these sought after contracts. So hi, Joe, and welcome. 

Joe Salgado: Hey there. It’s great to be here and thank you for having us, Victoria. 

Victoria Kruemmer: Would you start us off, Joe, by just telling us a little bit more about Red Team and your role in the RFP process for your clients? 

Joe Salgado: Yeah, sure. The Red Team Consulting is, we’re based out of Reston, Virginia, but our employees are all around the country. And we have consultants that help with everything for the full life cycle of a business development. Starting with Growth and developing opportunities and developing pipelines. We have a general manager that focuses solely on that, along with consultants that can help any client focus in on a service area or a offering that will be attractive to the federal government. And then we have a capture organization also that helps out once those opportunities have been identified, then we have consultants that can either do full. Capture life cycle, which is everything from identification to moving into a proposal phase or parts of it. So a black hat situation, competitive analysis, wind theming, hot button identification, call planning, all of those things we have consultants that can help out with, and then we have proposal management and proposal management is obviously from the time the RFP comes out to the time that it’s submitted and anything that. It was on post, uh, submission and we have proposal managers, writers, document specialists, which is something we’ll talk about today, I’m sure. And, um, as well as pricing experts, uh, to help with all parts of our proposal phase and then myself, I’m involved in the pursuit and capture of Government wide acquisition contracts or multiple award contracts and IDIQs, which stands for indefinite delivery, indefinite quantity contracts, which are usually multiple year contracts with multiple awardees and are in the usual. Billions of dollars of overall contract value. And then what we do, what I do is actually look at each one of these and identify the ways that companies can pursue them, what they need to pursue them, those that can pursue them and those that can’t pursue them. And then. I work with our consultants either on the capture or the proposal management or the growth side to kind of give them the strategy that they need. And I’m a resource that they can come back to bounce ideas off of specifically to their customers. I also do presentations, uh, for multiple industry and organizations to help promote these vehicles, as well as to explain what is going on with these vehicles on a global basis.

Victoria Kruemmer: Awesome. I know you guys run the full gamut of proposal support and just the whole capture process from start to finish.

Joe Salgado: Yeah. 

Victoria Kruemmer: So for a lot of teams, they just submitted Polaris. And as we look forward into 2023, Oasis Plus is on a lot of people’s radar. So for many people, they’re right in the middle of the mix in terms of scorecards. And some people might be just learning what they are and how to approach them. So Emily, Joe. For all of those new to GovCon or even just scorecard bids, what is a scorecard bid, and why is it significant in this discussion around, you know, GWACs and IDIQs? 

Emilie Scantlebury: Yeah, a scorecard bid versus an RFP, they have some critical differences. The first and foremost, of course, is the actual scoring element of the requirement in your response. Scorecard bids usually lay out a number of different qualifications that they are looking for to prove that you as the offeror are credible and capable of supporting task orders of size and scope that are going to be procured under the vehicle. So these qualifications could look anything like The size and dollar value of the past performance is that you’re citing. They could look like organizational capabilities, such as your ISO or CMMI certifications. Um, they could look like qualifications for OCONUS work, if the vehicle encompasses some out of country or in country support. So it really spreads the gamut. They’re usually pivoted off of a set of past performance, either like five or 10 references that you can use to really maximize your scoring points. And I think the. Really interesting part from my perspective on score carpets versus some RFPs is that you can get really creative with how you are looking at your past performance and that creativity often sparks new knowledge on what’s in your portfolio. You know, oh, I didn’t realize that for project. Hey, we’re not just doing cyber security. We’re doing cyber security and policy writing as an example. So it’s good all around from an offer standpoint, and it really forces you to take that hard look at your portfolio. But Joe, did I capture that well? What do you think? 

Joe Salgado: Yeah. And just to explain what a traditional RFP entails is usually there is a written response to a technical, sometimes a management, and then a past performance write up. What the scorecards have Typically done is taking that technical element as well as the past performance element in most cases and change them to a binary scoring. What you’re looking at is with federal acquisition regulations, all of these vehicles have to evaluate the technical merit of each one of these. And they can, you can do it in multiple ways. In some cases, you’ve probably heard of blue, green, yellow, red evaluations. What you’re doing with a scorecard is just stack ranking them in the same way. But doing it with binary elements, and that’s a very key part of these scorecards is that it has to be something that is provable, and it has to be something that’s quantifiable. Both of those things are very important. So saying you did very good or using adjectival responses, which might be written in some cases, is really hard to do on a scorecard. You have to show in a very succinct way that you’ve done work. The government. Has some classification codes and certain things that they use that allows to show something has been done. Let’s call it that. It’s not what the intended purposes of those classification codes was. So it’s a situation where it’s interesting. 

Victoria Kruemmer: So from a government perspective, what do you think the inherent benefit of a government customer is to use a scorecard over an RFP? 

Joe Salgado: Usually the benefit to that is these contracts that are using scorecards primarily are usually 5 to 10 year contracts. And in some cases the contracts have met their ceilings or dollar ceilings for the overall contract. And they are in a. Time crunch actually to try to get these re awarded. Uh, in other cases, it’s just been a trend that has taken hold, for example, general Services administration, probably 15 years ago now with the, uh, with the O original Oasis contract. They were the first ones to really do the modern scorecards that we’re seeing right now. And that is where a lot of this was worked out through questions and answers and market surveys, and a lot of different things that were going on at that time. And so GSA has kind of adopted using this for almost all of their GWACs and IDIQs at this point. So you’re seeing some element of this at 8a stars. You’ve seen it in Alliant. You’ve seen it now in Polaris, which just was last year, and you’re seeing it in Oasis. Plus an alliance to recover

Emilie Scantlebury: and to build on that, Joe, I think from my perspective, what I hear from the government is the scorecard bids are creating a pool of very much vetted offerers that are getting on the vehicle because you said it very well. The scorecard nature leaves. There is very little, if no room for adjectival or kind of more, let’s call it descriptive words in a technical approach. It is tried and true. You either did it or you didn’t. You did not, you either have the qualification or you do not either qualify or you do not. And so it’s just, yeah, it’s creating that more seasoned vetted pool of offers. Good job. 

Joe Salgado: Exactly. And it’s very hard to write around as they say, the fact that you don’t have the qualifications or something, and it does drive towards that.

Victoria Kruemmer: From a contractor perspective, would you say that there are the same benefits to the contractor in terms of there’s a tried and true? You either have it or you don’t kind of approach to a scorecard versus an RFP. Do you think that it’s supported a more transparent procurement process from a contractor standpoint as well?

Joe Salgado: It’s, it’s caused friction in some cases, and for those contractors, for unrestricted contractors, especially those very large contractors that usually have acronyms for names, it’s, it’s been accepted because they do have the experience that’s required, because what really comes down to, as Emily said, there is some points that are given for certifications, accounting systems, and a few other areas. But they’re not the real bulk of the points. The bulk of the points are usually very tied into the experience of the contractor. And what happens here is there’s pressure on all these GWACs because they’re 10 year contracts that usually have in some cases at year five. The opportunity for what’s called an on ramp so new contractors can come in at year five So a 10 year contract for a government wide acquisition contract for it services Creates a lot of pressure on the contractor community, especially the small businesses to say, I want that 10 year contract for the next 10 years. So, I am going to move heaven and earth to get it, but on a scorecard basis, if they don’t have the experience required to get that. Then it leads to looking at other options is what I’m going to say right now, and really, those other options is teaming joint ventures and a lot of things that are offered to small businesses through the SBA regulations that exist that then create a Unintended joint ventures. Let’s call it that things that normally wouldn’t happen in a normal business situation, start to happen to address that pressure to say, okay, I am going to team up with this company because they can give me three extra performances to get me 400 extra points. And, um, we might not get along that great, but we all, we both will be in a, 10 years, which If you were a bank and somebody said that as a business plan to you, you might go, should I give you that money? So that’s a situation where you are really looking at a lot of different things going on that is unnatural due to the fact that these scorecards exist. And the biggest area of point scoring is really the experience points. 

Victoria Kruemmer: So we’ve kind of already touched on how these are inherently different from RFPs. So, with that being said, what are some of the best practices for preparing for a scorecard versus, you know, that traditional RFP? What kind of preparation would you come in with versus, you know, traditional RFP? 

Joe Salgado: Emily, do you want to jump in or I can jump in too? The way that I look at this is that Emily touched on this earlier on, getting to know your existing work, because you’re usually looking at experience examples for three to five years back, and I mentioned earlier on, or I alluded to the way that experience examples are coded, there is something called the North American Industry Classification System, or I can’t believe I can remember that, which stands for, it’s commonly referred to as NAICS or NAICS or NAICS codes. You’ll hear that a lot in a lot of different discussions. Those are codes that are, that were assigned for contracting officers to classify how work is performed. It usually is how the contracting officers define what a small business is. businesses. But because there is a lack thereof of any other binary way of describing work, that’s also how the scorecards are figuring out whether something is relevant or not. Um, it’s not what it’s intended purpose has ever been, but it’s what the scorecard contracts are using as a automatic, this is relevant. Usually with all the scorecards, there is a secondary way where you can get a contracting officer’s signature to validate something, but NAICS codes has been the way that they have always usually classify whether something is relevant or not. So getting to know what all of your NAICS codes on all your existing work is the first thing that you want to do. You want to find out what those are. You want to FBDS documentation because almost all of these scorecards are asking for that information. That’s what determines how much the value is of something. It determines certain types of contracts have, that have been awarded. It is a signifier for a lot of that information. One thing we haven’t talked about is commercial work. And in some cases, as you, if you are a subcontractor on experience, then that is. Classified as commercial work as well. So getting your commercial information as much as possible to understand everything that it is that you’re doing. And then it usually takes on the contractor side to do a scorecard bid, a lot of investigation. It’s interviewing your program managers, finding out people from that are working actually on site, what they are doing at all times. That is very important to figure that out. 

Emilie Scantlebury: Yeah, Joe, you touched on an important point that I want to expand upon, which is. A lot of times these vehicles, companies track them for a significant amount of time, call it 12, 18, sometimes in many cases, even longer than that. And we all anxiously await the drop of a draft scorecard so that we can start applying that documentation. All of that pulls down of, okay, here are my suite of opportunities and past performance programs I can reference. And here’s my documentation. And. Let me start on that draft scorecard. And the one thing I’ll add on that is. Make sure you have a contingency plan there. These opportunities as they move through draft cycles, and then sometimes as they are in the post RFP stage and as amendments are issued, they can change. So, removing your horse blinders from yourself, and you are taking a 360 view at your entire portfolio, and you are prepped to slide in project. B for project a, should the need come is critical because they move fast after the are dropped and often I joke with some of my colleagues. It’s like trying to go in a game of thrones at season 5 after an RFP trustee can’t just jump in. If you are the point of contact for your organization, and you are working this bid, and you are coordinating with your teams, that preparation is critical from my perspective. 

Joe Salgado: Agreed, and in some cases, a lot of the what I’ve heard is people all when I talk to clients, they want to apply the rules of a previous scorecard to the current scorecard. They are working on it. play by the rules of the game that you are working on, not by the previous rules. And there are different government agencies who look at things differently, as well as set up rules. So the rules are what you are playing on, not on what happened on a Nitech bid a few years ago or a GSA bid, or I’ll bring up those names. They’re all very different and they have different peculiarities. 

Emilie Scantlebury: Yeah, that’s a really good point, Joe. 

Victoria Kruemmer: So, kind of shifting gears here, I, before we kind of hopped on this recording, we were chatting a little bit about just the history of scorecard bids and looking back all the way to the original Oasis as kind of the modern scorecard, to take Joe’s terms from earlier. What kind of trends are we seeing now? I know you just mentioned about. Six different ones that have come out and are coming out over the next year. So what kind of trends are we seeing? And also what kind of things do you guys anticipate to continue seeing? 

Joe Salgado: I’ll jump first and then let you provide color there, Emily. But what I see more and more now, and the government is moving more and more to this type of bid because they’re not looking forward to re competing these, this is a lot of work for them. You’re talking about thousands of proposals coming in at any given time. time. And honestly, the vehicle itself does not hold the dollar value. They want that to be awarded so the task orders can be completed, not for the award of the actual general vehicle. For contractors, that award of that general vehicle is incredibly important. They’re the crown jewels of the federal contractor. So what everybody is looking at is resources. If you listen to the way that CIO SP4 was discussed at the beginning of the draft RFP process. The thing that they were most concerned about and I always listen to hear what the contracting shop is most concerned about. They were most concerned about the number of proposals they were going to get and how many they were going to have to evaluate. The scorecard was a solution to their risks. Same thing, um, when it comes to other vehicles, you’re seeing that Vehicles are hitting their ceilings right now. So VAT 4NG2 announced the draft at the end of the year last year and dropped one, and they’re planning on competing that contract next month. So it’s a situation where it’s very quickly happening and they’re hitting their ceiling and they have to get another contract award and they have taken what has traditionally been a very. Classic technical sample task order, pricing response, and switch the entire contract to a scorecard. So you’re seeing these large vehicles that have billions of dollars attached to them, really on the vehicle side, moving to a scorecard approach, and then letting the task orders be where what we’ve been describing as traditional RFP response, uh, reside.

Emilie Scantlebury: You’re spot on Joe. And there’s. A lot that we’re seeing patterned in that way, but we’re also seeing some new interesting things like on Oasis plus with a qualifying threshold. I’m really interested to see how this plays out in future procurements over the next and I’m talking big time 510 years when we look at scorecard bins. Will that take hold? Will it have footing? Is it as quote protest proof as we all hope it is? Because, you know, they are the crown jewels. These are what provides the license to fish, or whatever phrase you want to use, for offerers to go and win new work, to provide more career opportunities for their folks on staff, for the government to procure from vetted offerers, if you will. And so, um, We all want the protest Nature behind some of these vehicles to be more limited and i’m really curious to see if that’s going to take hold 

Joe Salgado: And that’s the one that i’m most interested in because i’ve got two pressures that I see That creates a lot of this protest I think the way that we talked about a pre priority recording was is there a way to make these types of bids protest proof? the answer is I don’t know because The pressures that are there Are very interesting and the two pressures I see the highest is this 10 year. I can’t get a contract for 10 years and the other is I can’t get to the right about a point or I don’t know what that threshold is. Those are the 2 questions whenever I present on any contract with the scorecard. That’s the things that everybody wants to know is what’s the threshold going to be. So when it comes down to that. What Oasis is doing is, and it’s very interesting because in a lot of cases, they don’t want to be called a scorecard. They’re using the term qualification matrix, and they’re not even using the word points. They’re using the word credits. But behind that, they are providing the threshold. Any there is an unlimited award pool. If you meet the threshold, you get a contract. Secondarily, they’re using something called ongoing on ramps or frequent on ramps has been used. Also, the terminology that states that when you meet the threshold requirements, their intention is to allow for any bids to come in at any time. So it’s not a situation where you only have a shot at this every 5 to 10 years. It’s. When you meet the threshold, you’re a qualified vendor. You get on a lot of subcontractors that are higher up on the food chain are saying, well, wait a minute, that’s a schedule. It’s not a schedule because there will be cost plus, uh, contracting and these thresholds are not minimal. A schedule is something that if you have minimal qualifications, you can get one. And when you look at the elements of what you need to do to get to the credits to meet the thresholds, it’s above and beyond what a schedule. 

Victoria Kruemmer: Well, you mentioned this a little bit earlier too, is that there’s a big strategy around how do you make sure that you qualify for these from a credits or a points perspective in terms of, you know, we have those opportunistic joint ventures, if you will, and kind of. Question for you and Emily. How does that impact the access to these scorecard bids? How does it impact the access to these vehicles also, um, for small businesses, mids like Highlight, and even larges? 

Joe Salgado: It’s an interesting scenario because what we are running into is then when you have a limited award pool, it’s a situation where you are beginning to winnow down. The number of awards. So let’s say from what I’ve heard for T4 and G2, there’s going to be 30 awards, 15 for unrestricted, 15 for small businesses. For the unrestricted offers, it’s going to be hard to create joint ventures because they don’t have the same benefits that a small business joint venture or a men or protege joint venture might have. So, but for the small business pool, it becomes. Okay, well, wait a minute. How do I get an actual award? If I’m just a small business, it’s under 30 million because there’s only 15 spots, one goes to a hub zone, one goes to aluminum, small business. And now we’re, now we’re at 13. And so if you are trying to only make points, you’re trying to create a super team at that point. Especially if teaming is open and what you’re trying to do is try to get this super team to be able to get as many points as quickly as possible and you have created an entity potentially that’s bidding on this that is better than everybody else. But the question that the community has for. VA at that point is, are you really getting the best contractor to do the work that you’re asking for? Because of SBA regulations and the way that scorecards are built, both of which were created in vacuums separate from each other, you have opportunities to go after these in ways that might not result in what their intended purposes were.

Victoria Kruemmer: So, as we sort of wrap up on our scorecard discussion, as you know, I know a lot of people are going after the VA opportunity that you just mentioned and Oasis Plus right around the corner. Emily, Joe, what is your top piece of advice for folks as they prepare for these scorecard bits? 

Emilie Scantlebury: I think from an advice standpoint, listen to what the government is saying closely. They are providing information to you intentionally. And I’ve noticed a high level of transparency from government to industry on the transidentity scorecard bids. I had the privilege of going to the ACT IAG Imagination ELC event, um, back in October. Both the Alliant team and the OASIS Plus team were there briefing. Um, at the end of the conference, they are out there in industry talking. Go listen, read the RFP to Joe’s earlier point. Don’t take what happened in Polaris as what’s going to happen in Oasis plus and for that matter. Don’t even take what you are reading necessarily in the draft scorecard in OASIS Plus as tried and true and that’s going to be what it looks like at the final stage. Stay open, stay flexible, know your portfolio, know how you can use it to your advantage. And the last piece of advice, and we were talking a little bit about this before the recording started. Getting on a vehicle is point A, and that’s great, and that adds a lot to your portfolio, but consider a task order strategy. Getting on these vehicles is only as good as you can win task orders. It’s only going to drive business and add to your strategy as good as you can add programs to your portfolio. And, you know, taking that into consideration and really thinking about how you’re going to be able to respond to those task order RFPs needs to be a part of the discussion when it is a draft RFP at the vehicle level. So that would be my advice. 

Joe Salgado: I second everything that you just said, Emily. And what I like to do also with these scorecards or any vehicle that I’m looking at is be empathetic to the government, understand what their driving factors are. And to Emily’s point of listening to each of these contracting officers speak whenever you can. If there’s so many more virtual events, a lot of what I could understand and people were like, how do you know that this was going to happen on CIOS before Polaris? And the other was like, well, it was the only natural Conclusion after what I heard Brian Goodger say on this event here is that he’s trying to get to this point. And this is the only avenue that he has to get there. So it’s not just the reading of the RFP, but it’s also understanding who it is that’s driving the RFP. fees. And when you are empathetic to them, then when you are asking for something to change, you’re usually asking for something to change in the right way in terms of helping them get through their process. Because none of these contracting officers or program offices want to deal with protests. They are a natural occurrence, especially when the pressure that we’ve discussed on this already, um, is as high as it is. But when it comes down to it, they want to get these awarded so that they can start getting the task orders running. So knowing that helped them drive towards getting these things awarded. I understand that everybody wants these and there’s a lot of pressure corporately to get each one of these, but you’re going to get a lot more. If you’re empathetic to what all players are doing and looking at things that are working well, as well as trying to fix those things that you know, might have.

Victoria Kruemmer: Awesome. Well, I’m sure everyone listening in today is going to love all of these tips and advice. I know everyone is anxiously awaiting and preparing for a lot of the scorecard bids that we’re seeing coming out. I would say, make sure that you look out for resources like red team and other organizations that are chatting about these also check out for events from these government customers that can give you insight into what’s coming and what’s happening. If you want to learn more about Red Team Consulting, you can visit their website at redteamconsulting. com. You can also find them on LinkedIn and other places. Joe, is there any other places?

Joe Salgado: I think Twitter as well. Yeah. 

Victoria Kruemmer: Okay. But I wanted to thank you both for being on the episode today. Thank you everyone for listening to the highlight cast to keep up to date with all of highlights, news, and activities. You can follow us also on LinkedIn. You can find us online at highlighttech. com and we look forward to having you tune into our next episode. So we’ll be talking about software development life cycle with a lot of our development team. So thank you again, Joe, for being on the podcast today. 

Joe Salgado: Thank you for having me.

Kevin Long: Broadcasting from Fairfax, Virginia. You are now tuned in to The Highlight Cast with your hosts Adam McNair and Kevin Long.

Adam McNair: Hello everybody, welcome to another episode of The Highlight Cast. This is Adam McNair. Thanks for joining us again. We are joined as always by Kevin Long. Kevin, how are you today? 

Kevin Long: I’m doing great. How about you, Adam? 

Adam McNair: Great. We are also joined by a couple of special guests. We are joined by Kevin Milner, who is one of our architects and part of several of our programs, and also Sarah Dryer, who is on one of our programs currently and has worked with us for quite a while. And we wanted to talk today specifically, and the reason that, uh, that Kevin and Sarah here, we wanted to talk specifically about ServiceNow. So, The recent podcast that we’ve been doing we have been talking about some of our vendor partnerships and again the vendor partnerships are really a way for highlight to deliver elevated services support of a technical environment that includes better utilization of a platform that has been purchased by a customer organization. So, That means different things for all the different platforms. That could be better access to training, better access to certified staff, etc. Now, we are a certified ServiceNow partner, and we’ve been increasingly using ServiceNow on some of our programs. Now, Kevin Long, uh, when, when you look at ServiceNow in customer spaces, what are you seeing You know, service now as a what capabilities is that giving to a customer organization?

Kevin Long: A lot of times you’re seeing things, you know, historically help desk management, IT infrastructure and things like that. But even more and more, we’re getting to see things where as a platform, we’re being able to implement Customer workflows, be able to asset tracking and things like that and help provide a lot more business intelligence into how customers are operating both financially and technologically.

Adam McNair: Now, I’ve been involved with various ITSM type tools. I think the baseline of that is. Pretty much just a ticketing system and the automation that you can build on top of it. And we’ve certainly seen this in service now is that we talked in a previous podcast about process automation. And one of the things that that we’ve seen is that. A lot of your standard requests, certainly service requests, uh, sometimes incidents for things like requesting an account or requesting a password reset, there are things that are relatively typical that follow a standard request. Pretty standard workflow. Now there, like I’ve done a lot of service desk work, there are things that have to go through a troubleshooting process, there are things that have to go through a little bit more nebulous approval process, because you have to decide if a person gets something, or do some sort of cost analysis, or, uh, so forth.

However, I do think that we see a lot of automation and, uh, That ultimately increases the customer experience and ServiceNow has has supported that a lot. Now, Sarah, I know that you’ve been working on our one of our army programs and understand that, you know, you’ve been instrumental in our expanded utilization of ServiceNow in the environment. Could you? Talk a little bit about what the use case is there and how we’re using it. 

Sarah Dryer: , so right now we are using ServiceNow for a centralized location for the Army and especially for ECMA to be able to manage all their licenses and licenses as far as in IT licenses or asset management licenses. So you have the JIRAs and confluences and the Calibras and things of that nature. Right now, all of that information that they have to track it, performance dates, pricing, just in general, is just on spreadsheets. So, the spreadsheet lives in every location you can think of, and there’s not a centralized location. Well, in ServiceNow, we are building that. We are building the ability for ECMA to be able to manage their license, be able to make sure that the customer doesn’t have a license, That’s the lapse in licenses, but also be able to manage the projects and then the budget that are associated with those licenses.

Adam McNair: So license management is a common issue. I mean, I think every organization has some aspect of, of license management, unless they’ve completely outsourced it to a different group, they face that challenge at, at some level. So is this replacing just a massive amount of manual labor? To track sort by email. Is that really kind of what ServiceNow is is replacing? 

Sarah Dryer: Correct. It’s replacing the lack of ability to be transparent and what they have in their environment. It also then can then expand from this very tight knit unit and be able to expand to the Army as a whole. So the purpose of what we are doing is be able to solve small of license tracking and license management and requests and then be able to expand to Army wide.

Adam McNair: So that makes a lot of sense. And so I guess the next thing that that makes me wonder is, and this is a question for Kevin Milner, somebody told me one time as I was, you know, talking to them about some platform or tool that the salespeople had told me that it was, you know, self explanatory. And. The guy that I worked with said something along the lines of everybody that’s really good at something thinks it’s self explanatory. It’s when you pick it up and don’t know what you’re doing that all of a sudden you find out it’s really confusing and difficult. So I’ve been through a lot of demos for a lot of platforms. I’ve I’ve been through a lot of. Low code. This is just configuration. I’ve I’ve been through. Hey, this is something that you’re going to have to write a massive amount of custom code behind to get it to do what you need as a architect individual and a developer from the technology side of it, where does ServiceNow fall on that continuum from every time something needs to change, it’s call Milner and have him write code in the back, or it’s pretty much click a button and something changes?

Kevin Milner: Yeah, ServiceNow, it builds itself as low code, meaning that out of the box, it will do a lot of things. If you have some specific requirements, though, for your organization. For instance, at ServiceNow, I mean, at ECMA, we have a couple of layers of approval we have to go through. So we have to automate. The way that approval communicates back and forth between ServiceNow and the person requesting it and going into ServiceNow and then it going to, to the approvers. So we were able to actually do quite a bit of low code, meaning you write like a handful of lines of code, maybe for the most part, it does everything that you really need it to do sort of out of the box and you just customize it rather than. Implement something new. Now, there is a lot that you can customize with ServiceNow, and so that can be somewhat overwhelming if you sort of dive in expecting to Have it do what you want with without working with it. Some so it does. It does require a bit of a learning curve, but in theory, once you get past that learning curve, you can do 99 percent of what you need to do without writing code.

Adam McNair: And so is it safe to assume that the code writing is really for. Integration with other data feeds that are maybe don’t have a ServiceNow API or highly customized reporting or interface changes, are those kind of the categories of things or, you know, so you basically, if you want to, if you want to track some things and have user permissions and access and those types of kind of fundamental services, that’s a front end configuration as opposed to back end. Is that kind of how it works? Yes. 

Kevin Milner: Yeah, so for instance, I’ll give you an example of both cases in terms of low code. We were for for that approval process. I mentioned earlier, we were able to get an existing module that somebody has developed and sells through the service now store that can handle a lot of the PDF signing and uploading and tracking. And versioning that sort of thing for another project, where we wanted to be able to get license counts from a specific administrative console for an application. We were able to write some custom code in JavaScript. And it gets ran by the internal JavaScript processor and executed and we did that to actually reach out to another web page using HTML, pull it back and then look for the specific data point. We were interested in and output that. Yes, to answer your question. 

Adam McNair: Okay, and so, and what I’m also hearing is that, for lack of a better term, you’ve got essentially an app store, uh, you know, and I know we’ve seen that, we’ve seen that with Salesforce, we have seen that with some other tools, that it is probably highly likely that the problem that you’re trying to solve has been solved at least in part by someone else, and there is a Notional, call it a plug in, call it a widget, call it something that you buy and add on to your ServiceNow instance. And ServiceNow 

Kevin Milner: uses both of those terms interchangeably for it. Okay. Module, widget. 

Adam McNair: Alright, so if we wanted a license capacity module that would give us a dashboard widget that would tell us where we were with licensing, and in the event that that was something that was in the store, now that may be a native capability, but if that was something that was in the store, is that a As long as you have administrator access to the ServiceNow instance, you, you can install that when you install that. Is that installing it for like your instance and everybody that uses it now has it? Or is it just installing it for you? Or is it? Does that get that into kind of the user permissions and user groups? 

Kevin Milner: Yeah, I think that has more to do with the license of a given module. I know that for UXStorm, the particular instance we were looking at, or module we were looking at, it was per instance. But other, other ones like the built in ServiceNow HR module is per person that you have in there. So ServiceNow makes it available to set the, the licensing structure to how you want on your, your modules. So, so it really just depends on what the author is doing. 

Adam McNair: Okay. And I guess my kind of last question on that angle of ServiceNow is from an implementation timeline. When you’re starting from notionally zero, let’s just say that they’re not using ServiceNow. Again, I know everything’s always constrained by requirements and how much you know about what you actually need, and if you’re trying to just do a pilot or do a full enterprise stand up. But if you wanted to do, let’s call it a pilot, let’s say that you wanted to stand it up and something around, you know, just like license management, you wanted to stand a tool like this up. Is this days, weeks, months? What’s that look like? 

Kevin Milner: So, I would say, depending on on your skill level, and your experience with ServiceNow, could be anywhere from a handful of weeks to two months. And it depends on how much customization is required. For instance, say, When I worked at another organization, and I don’t know if I should say the name or not, they purchased ServiceNow to set up and initially went in with the assumption that we were going to customize everything. And if you do that, sure, you can do it, but that will really. Slow down your, your deployment. So really it service now almost takes the approach that you do the minimal amount of customization to get what you need so that you can get going quickly and have a usable, minimal, viable product and then put in all the bells and feet and whistles that you’re custom implementing later.

Kevin Long: future proof it also at that point. 

Kevin Milner: Yeah, yeah, yeah. 

Adam McNair: Yes, and I think that’s consistent. You know, a lot of these platforms, and I, I correlate a lot of it. I think one of the first ones that was just so commonly available, SharePoint was everywhere. Oh, yeah. Because enterprises got it for free, essentially. And so it was an easy answer when it was, I need a solution for something. It was, well, can SharePoint do it? And You can dig a hole with a hammer, but I wouldn’t recommend it. And so, yeah, yeah, it’s good, Sarah. 

Sarah Dryer: And I was going to say service now as, as based off of that too, their users with licenses is incredible. If you come in and you request something, that’s not a license that you had to pay for. So you can do. Up team amount of requests to a landing page. Things of that nature. The only thing you really have to pay for us a filler. So if you go in and tweak something in the background and you fulfill a ticket or you do a service agent, all of that is cost. But the actual modules when you download them, that is a cost, but all the plugins that come along with it that’s associated with the module. So when we do the ITS and management, the pro type or the enterprise edition, all of that is included. So it’s really cost efficient. To when you think about it because it’s it’s a foundation and you bring in an instance and then you buy the sandbox and then you come in and you and you’re able to get the test prez and prod and all that is included and then you can negotiate pricing things of any nature. So the structure of it as a whole. Whole is amazing. And then the after effect to upkeep it is also cost efficient too. So one of the concerns that we had was we have a million requests. What is that going to cost? That doesn’t cost anything to come in and to request license. Only thing that costs is fulfillment. So ServiceNow actually thought about that. And now ServiceNow also thought about sandboxes. What does that look like? So you can go in there and you can develop in your sandbox. And it’s like the wild, wild west. And the great thing about that is, is that you only incur cost if it’s associated to a production, if it’s associated, but if you want to do training, there’s. Up team amounts of just free trains. You can go through just recently. They had a whole free training of the fundamentals. And so they take you through when they look at everything and service now is fantastic about having just cost efficient things for the outside environments. You just come in and look at it. So people think, sorry. 

Adam McNair: Yeah, that sounds like a, you know, a very good point. I think also that if you look at it from an enterprise standpoint, what I’m hearing is that, and this certainly been an issue with other tools that we’ve looked at in the past is your enterprise licensing cost is going to be related to the number of people that are really using it as a tool to provide guide. The underlying support, but the, the customers of the system, so to speak, that those licenses are free, that you’ve got a robust and what sounds like free training capacity and the ability to have included in your licensing a sandbox or test instance so that you can, uh, If you are starting from the idea that you’re going to do a limited scope pilot that you’re going to come up with something as a minimum viable configuration, and then use that to drive further requirements, because I think one of the things that we’ve talked about here before and elsewhere is that, you know, the technology is rarely the problem anymore. And so I think the challenges that you’ve run into in an implementation like this is that. You may not know who approved something in your organization. You might not have really defined when, when is something automatically approved or when is it discussed or who discusses it or who approves it. I mean, I’ve worked a lot of places, both customer organizations and internally, where the decision to provide somebody, for example, with a really high end desktop machine, you know, a really high end desktop machine. Was kind of this ad hoc decision, the decision as to whether or not somebody got developer access, kind of power user access to different tools and administrative access to the box that they worked on was kind of an ad hoc discussion about, well, why do they really need it? And those kinds of things are very, very difficult to map out as a business process. And they are. infinitely difficult to track or forecast, because if you don’t have any kind of criteria for why you make a decision, deciding how many of those decisions you’re going to make next year is nearly impossible. So one of the benefits of the incremental, you know, evolution of a, of a, of a rollout like this is when you come across those business questions, when you come across the, the bits of governance that you have not authored yet, the system, when you get ready to Do your next little piece of it. That next little rollout might ask a half a dozen questions that you have some time to answer. Whereas if you tried to scope an architect and enterprise wide rollout, there are going to be questions spawned by questions that you’re not even going to know who to go to to answer. And so it’s a much more manageable business activity if you take that. And it’s also helpful to know that the sandbox and training. So, so both you can be, you can be learning about the potential. You can be socializing that with the customer organization. You can be having conversations about what other capabilities there are and then using the. Quote unquote free development environments to come up with the next versions of that and then use that to drive the conversation about how one gets things approved. And if the customer is OK from a governance perspective, that makes a lot of sense. I think that’s kind of the to me. That’s what I take is the summary value of this is that it’s easy enough to get some value out of almost immediately, and it will help you organize data and organize workflows. And streamline or get visibility onto your customer support, and then you can iterate that maturity from there. So, in summary, ServiceNow is continuing to grow market share in the federal government. We’re excited to be a ServiceNow partner. You know, we talked a little bit today about one of the use cases where we have been using ServiceNow. There are others. We’ve used it on several other programs. And ranging from there’s no system in place and so we having something to track user interactions or licensing is helpful up to we think there’s something there but we really need more maturity and better visibility and chargeback of licenses and some of those kinds of things. We’ve had a lot of really good success with with ServiceNow and so I just wanted to thank everybody for listening to the HighlightCast today. You can keep up to date with Highlight News on our website HighlightCast. You can also follow us on our LinkedIn page. Thanks again to, uh, to, as always, uh, Kevin Long, but also to Kevin Milner and Sarah Dryer for joining us. Tune in to our next episode. We are going to be talking about emerging technology. And thanks again for listening to The Highlight Cast.

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.

Announcement: Broadcasting from Fairfax, Virginia. You are now tuned in to The Highlight Cast with your hosts Adam McNair and Kevin Long.

Adam McNair: Hello everybody, welcome to another episode of The Highlight Cast I’m Adam McNair. Thanks for joining again. Joined today as always by Kevin Long. Hey, Kevin. Hey, Adam. How’s it going? Good. Good. Doing fine. Also joined by Roman Jelinka. Roman, how are you? I’m doing alright. Thanks for asking. Good. So, Adam. What we wanted to talk about today was one of our vendor partnerships. Now, at Highlight, DevSecOps and software factories and digital government is a core part of who we are as a company. It’s a major service line for us. And when we talk about technology, that’s really what we are focused on. We work with vendors. The real thought process behind any vendor partnership is that the person that makes the product knows it better than you would. And there are a lot of different partnership vendor angles that all of the programs work a little bit differently. You get some different benefits from them. But today we wanted to talk about our partnership with AWS, which is Amazon Web Services. And Amazon Web Services is one of the Predominant cloud platforms in the industry, certainly in federal government. I mean, the primary ones that we see Amazon fits a tremendous number of agency requirements. I think you see that it pretty much every agency that we work in. So somewhere between the cloud infrastructure. The application hosting, it’s really kind of become an industry standard. And so I think what we wanted to start off with, Robin, I know you work a lot with AWS on some of our programs. What do you see as the kind of major features of AWS? If a person wasn’t all that familiar with, you know, maybe the differences between AWS and some other platforms, or just hadn’t used AWS in the past, what would you say are kind of the major features? 

Roman Zhelenko: So right now, my primary client would be USCIS, and I guess our favorite feature there would be AWS S3, which is their simple storage service overall for an environment that deals with a ton of data. Having something that’s low cost and efficient for storage is crucial for us. It was an easy sell. It’s incredibly easy to use, and I mean, we’re dealing with terabytes of data that are incredibly sensitive. So having AWS always focus on security makes our lives a lot easier. 

Adam McNair: And from a cost standpoint, one of the things that I have seen that seems to work very well with AWS and with customers that I’ve talked to is you can always pause an instance. So you’re really paying by what you actively use so you can have an environment and pause it essentially. Now, when we’ve used AWS, we’ve used it at CIS, we’ve used it at other customers. But are there specific lessons learned in using AWS or tips that you have 

Roman Zhelenko: for somebody, Roman? Sure. I think so. So we’ve actually had a recent lesson learned. I mean, I guess, as we’re exploring different tools within AWS, it’s not always designed for our environment. So one recent implementation where we’re using AppStream. AppStream is AWS’s VDI replacement. So our team is working alongside the AWS team, and they’re trying to Integrate AppStream with the PIV authentication system. That hasn’t necessarily been flushed out yet from the AWS side. So we’re consistently working with them, getting custom packages. And ultimately we need to show them that, Hey, you guys need to mimic our environment to make sure that your test cases match what we’re looking for. They tested it with PIV cards, just not our.

Adam McNair: And Kevin, now when we look at the customers that we’ve supported or that we do support, how, how frequently are we recommending AWS as opposed to it’s already in place? I mean, it seems like it is very, very common at this point. It’s the 

Kevin Long: big boy in the market these days. I mean, there are a couple of others. I mean, if you’re running a lot of, um, Office or SharePoint. I mean, Azure through Microsoft is a very good choice, and it is as secure as Amazon’s and things like that, but it is targeted at Microsoft’s, you know, platforms. And then you have Google Cloud that is, you know, coming up, but largely we’re finding most of our customers are already either on AWS, or on AWS. Or want to migrate to a W. S. Um, with a nod to making sure that we have cloud agnostic things that we’re putting in there so that you’re not necessarily tidying entirely in a W. S. or Azure or Google cloud or one of the other ones. But you know what you find also, and I know on. Roman’s program with USCIS part of what we’ve been doing there is, is using some of the Amazon specific tools and what you find when you go deeper into a stack like Amazon, you can use things like their EKS, their elastic Kubernetes service, as opposed to something like, like, uh, OpenShift or Tanzu or insert any number of the other, uh, Kubernetes platforms out there, uh, With that it and it is you get like the deep integration, you know, the behind the scenes wires that they’re all wiring together for for that. Now, it does tie you to a vendor, but you get the benefits of being able to integrate all of those things together. And the nice thing about, especially with the chaos is that. Kubernetes there’s, you know, CNCF based. It’s got standardized stuff, so you can extract that and move them other places if you need to do that. But we find that most people want AWS and are probably already there at least a little bit with either their EC2 instances for compute or S3 for storage or whatever. Yeah, I mean, it just makes disaster recovery so much easier, right? It’s GovCloud. You can put it in multiple zones. You don’t have to maintain your data center anymore, and you only have to pay for what you need. I mean, it’s all of those good things, and everybody wants AWS. For the most part, these days, 

Adam McNair: it tie in just from a security angle as well. I mean, something that you mentioned the gov cloud instances through multiple levels of data sensitivity, A. W. S. Has figured that out. And I know there have been a lot of conversations about how do I secure my data in the cloud? And is this going to be sufficient? Not only have they figured that out and do they have the right, you know, not just the technology pieces, but you know, like you’re talking about making sure that it’s not replicated into servers that are sitting in some other country or all of those kinds of cloud things, but also. As we’ve talked about in previous episodes about continuous ATO, when you’re operating off of a common platform, there’s been a lot of documentation and so forth around some of these templates, so Oh, absolutely. It, I’m sure, must dramatically facilitate CATO.

Kevin Long: Yes, and even if you’re not doing CATO, it dramatically improves just getting your straight ATO. AWS has folks that literally their job is to help people understand the security and security paperwork to get ATO for government systems. Like that’s what they do. And at AWS reInvent last year where we went, they literally had this whole talk like, Hey, in case you didn’t know, here’s this group. We want you to use our systems. So we’re going to help you make sure that you understand everything that’s here. And get your authority to operate put in place. Amazon has gone all in on GovCloud and making sure that they’re operating from dirty internet all the way up to the highest levels of classification, right? And they have done all of the work to ensure that we can.

Adam McNair: Now something that you alluded to there, you know, our interaction with teams like that and calling up AWS and getting One of their security folks on the phone, for example, to help complete an ATO process. One of the things that we have noticed about the different vendors that we work with, is everybody’s vendor program is a little bit different. Sometimes we get discounted training, sometimes we end up with access to information, or inside sales, or sales engineering, or even solution engineering, that is Just a typical calling off the street type company would not have access to Roman as you Work with with aws and as we have become an official partner of of aws What are the benefits our customers receive from our formal partnership with with aws?

Roman Zhelenko: So, I guess one of the best partnerships is being able to focus a lot of your training and a lot of your effort on learning the new tools within AWS. I mean, the first step was just setting up the environment. The next step is seeing what else it can do. I know we deal with a lot of data, I’ve mentioned that, but one of the new tools that we really want to explore is the AWS Macie tool. It’s a machine learning security scanning tool that will scan through your environment looking for anything that might be sensitive, which again, would be amazing in places that we’re dealing with. constant, uh, different levels of security data, really figuring out where it is. And, you know, I think AWS would be perfect implementation of that, but having AWS tech support and having their architects on call is incredibly helpful. Instead of our people going through the code, figuring out our adheres our issue, we can call them up and see, all right. Whereas the issue, we really want to implement this for the customer as quickly as possible. So that has been incredibly helpful. 

Adam McNair: Gotcha. So that also brings up the point, if an agency is looking at AWS, you know, we talked about security a little bit as a benefit. We talked about cost as a benefit. If, if somebody was going to ask you that they have mission applications currently, they are sitting in, I think there’s probably different categories. If they have on prem hosting, if they are currently, if they have their own data center lit up right now, not just cost, but trying to run your own data center is an entire line of business, an entire competency that adds complexity and distraction. I was involved in a FedRAMP data center program, you know, at one point and the amount of, the amount of conversations we had to have about things like making sure that the diesel tanks in the data center were, were full so that you could run periodic, you know, cut over tests. Now, maybe somebody has co located and they don’t have to worry about that level of involvement, but still your Managing an infrastructure team and, you know, potentially hardware and everything else that you’re not, it’s not part of your core mission, but assuming somebody is looking at different cloud solutions, are there other specific benefits outside of cost or security that you think looking at AWS can provide?

Roman Zhelenko: So I think the biggest one is again training. I love that they made all their training free. I love that they are allowing people to just get involved quickly, understand what the different offerings are, figure out all right, this is a good solution for us. This might be a little bit better giving you tiered support. So it’s becoming much more common to find people that understand AWS at least at a basic level to start on that implementation 

Kevin Long: and the training is good enough that I could take it. And pass a certification exam on it. 

Roman Zhelenko: So knock that out in a weekend or like a weekend, 

Kevin Long: a weekend. I mean, they’re online training stuff that you get for being in their partner network is. Amazing. Yeah. But if you’re going to go over to AWS or other cloud stuff beyond security and reliability, I think that the biggest thing is your ability to deploy to multiple availability zones, right? That you can be in New York and in Reston and totally separated so that your disaster recovery. Is in a well architected well architected is that their trademark actually in a well architected AWS system. It just you’ll have automatic failover and then in particular. I know I always fall back on thinking about. You know, my days at State Department where you’d have transfer season, right? And there were systems that would have enormous load when all of the Foreign Service folks were applying for different, uh, different postings and trying to move around, right? And then it would be much less. And anytime you have spike availability or spike usage on anything, if you’re running a on prem or your own Data center, you either sacrifice performance or sacrifice the cost for wasted capacity. And when you are working with a cloud provider that has a gajillion CPUs that it, I mean, it doesn’t matter how many you need, you can light it up with with Amazon and you just, you just turn it on and you can even, you know, Make it so that you can give it thresholds based on cost. Say, as people come in, I’m willing to add 15 more vcpus to this and or have it spin up another cluster of stuff and you have elastic load balancing and you have all sorts of things to just sort of like when you’ve architected it correctly. Automatically flex to the throughput that is necessary for your application and the ability to have that done efficiently is amazing and is the biggest benefit. You pay for what you use, right? I mean, you can turn it off when you’re not using it. You can have different types of computational resources available to you when you need it. I mean, they have CPUs that are good for Floating point decimal work or large amounts of in memory processing or just standard web server, you name it. They have the different pieces, parts to be able to architect the most efficient implementation of storage and compute. Out there and you just you just build it and and it goes. It’s great. 

Adam McNair: We have certainly gotten very familiar and I would say proficient with AWS in the past several years. I think 1 of the things that I’ve enjoyed is every time you all are headed off to an AWS conference and come back with information on. latest and greatest and newest and so forth is they have a very robust capability or process for keeping their certified partners up to speed on both best ways to use what they currently have and developments that they see around the corner and so forth. I do know that you You all are headed to an AWS conference later this year. So if somebody wanted to bump into us and chat about this, what’s the next AWS event that you guys are all headed to? 

Kevin Long: So it’s their big US conference. It’s called AWS Reinvent. It’s in Las Vegas. It is the week after Thanksgiving. So last week of November, first week of December. 2023 and we’ll definitely be there kicking around last year. We got to learn about how you can literally rent satellite time with them because that’s one of their newest things. So hopefully this year we’re going to hear about the next things that they’re working with that there. Yeah, we’ll be there November 28th through December 2nd.

Adam McNair: Well, very cool. And congratulations for getting to go out there during November and December. I think the last time I went out there for something it was in August and it was, it was less than ideal. Well, so for sure, I guess I’d sum up with saying, you know, we’re really happy to be an AWS certified partner. We’ve had very good, uh, experiences implementing, maintaining, improving upon AWS tech stacks. A lot of our customers are currently on AWS or, you know, we were instrumental in moving some Coast Guard systems into AWS. We’ve had a lot of real success from that partnership and look forward to hearing What’s next from AWS? I’m sure when you guys get back from the the November 28th December set to December 2nd conference We’ll get to hear more about that And thanks everybody for listening to the highlight cast today We wanted to take an opportunity to talk about our AWS partnership and explain a little bit about Why we’ve made the investment in both time and people to further that so Kevin. Roman for uh for being part of the podcast today You can keep up to date with Highlight, HighlightTech. com on the web. Also, you can follow us on LinkedIn. Look forward to the next episode where we’re going to continue to talk about some of our vendor partnerships and how we utilize those resources and technology. Thank you very much and talk to you on the next episode. 

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.

Announcement: Broadcasting from Fairfax, Virginia. You are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Hello and welcome to another episode of the Highlight Cast. Hi, this is Adam McNair and I am joined today by Kevin Long. Hey, Kevin, how are you?

Kevin Long: I’m great, adam. How are you doing today? 

Adam McNair: Great. Thanks. Also joined by Emilie Scantlebury Is that a fair way to look at it? It’s what lets the. Emilie , how are you? 

Emilie Scantlebury: I’m doing well. Thanks. 

Adam McNair: Good. So, we’ve been talking recently about some of our vendor partnerships, platforms that we work with a lot. Today, we wanted to talk a little bit about both a platform and a technology concept. So to start, we’re going to talk a little bit about UiPath today. But specifically about robotic process automation and we’ve been exposed to this. We’ve done work at Homeland Security. We’ve done some work at DoD. We’ve done a lot of process automation and it can be done in a lot of different ways. We’ve seen it done in custom applications and so forth, but Emily, I wanted to start with you. Could you talk a little bit about what UiPath is and what some of the use cases that you’ve seen that led to taking the step in the investment to become a UiPath channel partner and certified partner? So could you talk a little bit about that?

Emilie Scantlebury: Absolutely, so UiPath is a really powerful tool when used effectively in agencies. I recently, earlier this year, attended the Rocky Mountain Cyberspace Symposium through the Rocky Mountain chapter from AFCIA over in Rocky Mountain, Colorado. And I actually attended a four hour session where they taught you end to end how to use UiPath. And right there, that’s another really big benefit of UiPath. It’s very low barrier to entry, low code, easy to learn to kind of implement from day one, but big picture, what UiPath I think really brings to the table to their customers is an empowerment to their citizen developers to help automate their workflows and kind of remove old. Those repetitive actions that they may be doing. So if I am person A, and every day I’m updating Excel sheet B to give to my boss, which goes up the chain, instead of having to spend 4 or 5 hours updating that Excel sheet, now I can literally save thousands of keystrokes to just look at the data output and elevate not only my thinking or my ability to contribute, but also just With that being able to elevate that type of thinking of actually, what is the data telling me? How do I input it? I can actually make a bigger impact across my organization really thinking about organizational impact when we are able to elevate that and elevate organizational impact to the end user level that value chain goes all the way up. That organizations are quicker. They’re more efficient. They are better able to solve their problems and frankly, better able to see that. Problems outside of just day to day process could be more effective, eventually. 

Adam McNair: UiPath. We have used UiPath. We have also used kind of custom macro Word. There’s a pretty wide continuum, I think, of how one would do process automation in general, and drawing the line of when is it robotic and when is it just automation. To me, that has to do with how much assessment and understanding of what is coming in is being done. I’ve been involved in, we didn’t call it robotic, we just called it process automation. They were things like, when you were going to provision something, an event would happen, a new employee would start, and you know, some of the organizations that I’ve worked programs with have 50, 60, 100, 000, Or more employees. So the onboarding and provisioning is a lot. Somebody shows up and they get assigned to a given organization and you could automatically launch the, create all these accounts, provision some web space for them, automatically ship some hardware. There were a lot of things that frankly would end up turning a ticket into a bunch of emails that would go out and do things. And to me that was a gain of efficiency. But really not that technically complicated. It was not that much more than a macro that when something came into your, your ticketing system, it spit out a whole bunch of instructions to a bunch of different people to do a whole bunch of different things. I’ve also seen some application process automation where it was kind of like a, Mechanical hopper system that when something would come in, it would look at what was being requested and based on what type of form it was, it was kind of a form handler. You knew what the process was going to be, but we’ve gotten a lot more complex in assessing and understanding what’s coming in. Now, Kevin, I know some of the application programs that we’ve been a part of. Managed run, etc. Some of the places we’ve used up UI path. Some we’ve, you know, we’ve we’ve used other legacy tools. What kinds of use cases have you seen for sure? Robotic process automation 

Kevin Long: with RPA. I mean, really, it’s. Especially as it’s getting more and more sophisticated, you can integrate them more and more with the homegrown hardcore apps that we support otherwise. But anytime someone has to do the same thing over and over again, right? We see it a lot in form processing. Like we’ve worked with things like correspondents coming in and people needing to check for particular things, you know, Check boxes somewhere and it would file things to different ways right and same person would have to look at 100 different correspondence elements coming in before lunch and that sort of thing literally became their job as, you know, a new office spun up and they were having to do that. All this comes in and that’s all they’re doing. Instead of focusing on innovating or changing or process improvement or anything like that, they’re, they’re reading correspondence. Something like RPA comes in, you can have it just trigger on receipt of correspondence, check it, file it, move on, and then you’re looking at the fallout. Like the things that don’t match the standard criteria and things like that. And so you’re really bringing up so much time and brain space with your folks with that. And with UiPath where you’re able to have API integrations where it can process and not just put it in a queue and say, Hey, now you need to do these things. Awesome. Grabs data out of it, can read information from forms and then execute things inside your custom develop apps. And it’s More and more powerful as things are going with that and with, you know, learning algorithms getting put into it and things like that. It could things get better and it allows you to have your people focus on things that really only people can do. Right? And so you can literally just have a robot doing the robotic things for you. 

Adam McNair: Now, one of my kind of early introductions to this type of automation used to work with Kristen Summers, who was at IBM for a very long time, and she’s now a operating unit CTO at Microsoft, right? And the kinds of things That she was doing around natural language processing work. Frankly, it’s one of those staggering, right? She’s, she’s a genius. It’s a, she was always way smarter than me anyway, but the, the, just the, the kinds of things that she did around natural language processing, it was, it was frankly fascinating to even see that you could get technology to do that for you. Yep. So yeah, that Joe Smith 

Kevin Long: and Joseph Smith, probably the same, same person. 

Adam McNair: Well, and let me tell you, using names like that makes it staggering. I could tell you a story about running a language processing on a name that had, I want to say it was like something like 14 or 16 letters and had no vowels in it. Yep. And that was Because it’s been translated by, you know, from, from different character sets and whatever, but so there are super complicated, you know, use cases for things like that. One of the other kind of concepts that she introduced to me was around data finding data. That the data insights that you don’t have to know what your insight you’re looking for. That’s kind of like Little League version of data analytics. The data itself will tell you what you should be looking for. So is UiPath capable of being engaged in your process and identifying potential automations? It seems like that’s one of the benefits of having a platform like that, is it helps you identify areas where you could automate and gain efficiency. From the times where we’ve implemented a UI path or a automation, the governance behind allowing that automation, have either of you seen an instance working with customers to get them to allow this machine or this robot to make that choice for them? The machine might come up and say, I think there’s an opportunity to automatically approve X. Absolutely. Kevin, what’s been your experience working with a customer to get, you know, get the governance around that? 

Kevin Long: So, That that is the it’s actually getting easier and easier because that’s the crux of machine learning, right? Where the machines have to go out and be able to look at the data to learn the different things. We weren’t doing it directly, but we were working around with the folks that like NGA where they look at, you know, is this a truck? Is this a truck with a tarp thrown different things like that? Uh, and so they would have to go out and be able to have access to be able to do that stuff. And so a lot of the concerns around that when you’re having machines have access to that, they all have to have in terms of governance, they’re going to have to have access to the systems for that. And, and so the security folks get nervous, the more holes that you put into it and where machines can do that and where you can vet. A person for security things, what a machine can do and be programmed to do bugs come up all the time and what it’s allowed to do and manipulate and understand and have access to is is sometimes more nebulous and difficult to predict and so coming up with rules around how it’s secured what access they can have to it, whether or not it’s allowed to commit changes to systems of record and things like that. come into play. But as data discovers data and learns about things and your processes get more and more automated, uh, we’re getting more sophisticated. Approaches to the governance around access, availability and using these types of processes 

Adam McNair: makes a lot of sense. I think it’s very common that the technology is not the issue that your organizational governance and your decision making and applying metrics around your business and finding value has a whole lot more to do with implementing a technology program than the technology itself that Emily, you mentioned a little bit that you had, you know, gone to a UiPath conference and had done hands on UiPath work. If somebody’s interested in learning more about UiPath or those kinds of events and opportunities, how were you finding out about them? What was the overall time commitment? Could you talk a little bit about what that experience was like? 

Emilie Scantlebury: Yeah, absolutely. So there are various UiPath events. Across the country, I usually look for them in conferences, just big technology conferences that we’re going to period UiPath in general, just that the platform has a really big push right now around getting this platform and software out into the hands of people at these conferences. So they’re putting on these boot camps. Um, and they’re putting them on in places like him, that Rocky Mountain. They just recently had a UiPath event in DC that I went to where they weren’t necessarily doing that bootcamp thing, but what they were talking about UiPath at large and how it’s implemented. Studio UiPath is available online for free. So you can download that, get the plug in, it plugs into Kevin’s point, it can plug into things like your Excel, your Word, whatever it may be, and you can really just be a self learner, a self teacher, and you can get in there. It’s very self explanatory, very friendly UI, UX. Um, and similarly to other platforms has an extensive online community. Um, so I think a combination of those two will help kind of guide and navigate a new user to introduction into UiPath and how to get started. 

Adam McNair: I think that’s a good introduction. And what I would also say is just as a person that has worked on programs, trying to automate processes and trying to, uh, Automate processing of decent size collections of data. There’s so many times, so much manual labor involved in operating a large scale program. And I think a lot of times when we are looking for efficiencies of scale and technical efficiencies, and we’re talking a lot about the application of the IT spend and so much, it’s the mission side. You know, we’ve done a lot of work with the SBA. We’ve done a lot of work with Health and Human Services on grants and loan processing. And when you start to look at the individual steps of the process and decisions that sometimes feel like a decision, but when you talk to the team about it, what you realize is 98 percent of the time, it’s always one answer. And you can also find out that the reason it would be A yes versus a no is sometimes pretty simple, and so that kind of process analysis and looking for efficiency is can have a dramatic impact, not just on your organization. From a budgeting and resource standpoint, it can free up resources to go do other things that are mission critical, but it’s also from a from a user experience or customer experience perspective, waiting for days or weeks To get through a gate in a process that might be able to be handled automatically by your, your software powered by a tool like UiPath can have massive benefit. A lot of us sit and look at user experience and customer experience stats on a continual basis on some of the programs we support. And we talk a lot about it. We talk about how we can have our customers be happier with some of the tools that we build. And sometimes waiting is just the problem. And so the ability to increase the cycle time can have a real positive impact. So if you’re interested in that kind of information about how to introduce efficiency, how to increase customer engagement or customer experience around a process like that, there’s certainly more information available on our website, HighlightTech. com. You can reach out directly to us, either through the website, through LinkedIn. You can also watch our LinkedIn site. We put a lot of content out as we talk about program experiences, successes, lessons learned, and our experiences with, with these kinds of platforms. I want to thank Kevin and Emily. Thanks for taking the time to, uh, to sit down and talk about our experience with RPA and UiPath. Thanks again for listening to the highlight cast, and we will talk to you again on the next episode. 

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.

Kevin Long: Broadcasting from Fairfax, Virginia, you are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Hello everybody and welcome to another episode of the Highlight Cast. Hi, I’m Adam McNair from Highlight. Happy to be talking with all of you again. Joined as always with Kevin Long. Kevin, how are you? 

Kevin Long: I’m doing great. How about yourself? 

Adam McNair: Oh, great. I got the opportunity to go to the ACT IAC ELC conference earlier this week, the Imagined Nation that they hold up in Hershey, Pennsylvania, so I’m getting back into the office day here and also was really surprised to see the number of people. That’s a conference that we held some virtual and some in person. Last year and a few of us went and it was certainly odd at the time and a lot of people and so I would estimate there I think they said there was something like 970 people and it used to top out at like 700 in some venues so it was really a well attended event and frankly the driving back Fourth to Hershey is much nicer than an interstate 95 corridor drive. So, 

Kevin Long: and so, so much easier than heading out to the eastern shore where it used to be. 

Adam McNair: Yes, right. So all of those, this was way easier. No bay bridge, none of that. So, so happy to get back. And, you know, as we, as I was at ELC, there were a lot of different conversations about both government initiatives and tools. I mean, things like CMMC came up, things like, of course, DevSecOps and software factories. And another thing that, Was device management and that’s that’s moved around along, you know, a lot over the years from why do people need a phone hook to the email system or whatever to, you know, we’ve we’ve we’re approaching the point where whatever somebody uses is just an end point, which is, Really exciting for us to be able to be, uh, to be joined today by Jared Shepard, who’s the president CEO of Hypori. So, Jared, I’ve been around in point management and, and so forth, and I know talking with, with Kevin, I’m excited to get you on the podcast today. What I understand is that you all have a real growing adoption rate in the DOD sector. But would you give us a kind of an overview of what you guys really, where your niche is in all of this technology ecosystem?

Jared Shepard: Yeah, sure. And, and, you know, Adam, Kevin, it’s good to meet you guys. And I appreciate you guys, you know, asking me to come on and talk a little bit. And it’s funny, you talk about endpoint management, so I’m not endpoint management. I’m an endpoint, but virtualized endpoint, right? So what is Hypori? Hypori is, is technically a secure Linux operating system, ultimately the AOSP, Android Open Source operating system, wrapped around a whole bunch of security protocols, and then a way in which we can deliver it to any edge device. And if you think about like the implications of that, what that means is rather than, you know, we joked earlier about the idea of zero trust, right? You know, zero trust is that new buzzword that everybody throws out there. It was kind of like, well, the old cloud, everybody likes to use it in a sentence. Nobody really knows what it means. If you look at the academic definition of, of what zero trust kind of is and its idea, In there, I think the most common accepted version. There’s five pillars in zero trust. One of those pillars is called edge. We solve for edge and it’s by taking the opposite approach to endpoint management. We don’t manage the endpoint. We instead, we assume every physical endpoint is an aggressor device, and so we don’t trust it. And what we do is we enable that VM, that virtual machine, Hypori, to stream encrypted change pixels to an edge device that write over themselves, right? So only change pixels, not full screen scrapes, but only change pixels to an edge device that write over themselves. And then collect telemetry, i. e. touch, type, swipe, that kind of thing, uh, hash, and then encrypt that and send it back into your secure environment, whether that’s cloud or on prem, and translate that into an action. So, so what does that mean, right? Okay, I’m not MDM, uh, uh, and nor am I VDI. Um, an actual autonomous Android operating system, so a mobile operating system that we spent a lot of time trying to figure out how to trick it into thinking that it’s native on any edge device that accesses it. So, you know, what Gartner said was, you know, hey, congratulations, you guys are your own category. You don’t really have any peers. Oh, hey, by the way, we’re really sorry to tell you. You guys are your own category. You don’t really have any peers and I didn’t understand the humor of that until I figured out that when you are in your own product category and that you’re first to market with a really new concept, you spend half your time trying to explain to the customer what you actually are because they end up being so embedded in the ideas of like what you said and point management, you know, that kind of a thing. So what we really are is we’re a secure streaming operating system accessible from any edge device. That’s zero trust in nature in that we assume the edge device is an aggressor device, so we don’t trust it. As a security play, we thought that was where our cat’s meow was, right? We were going to be this killer security platform that, that isolates data and enables you to access it. And what we figured out is there’s another side of the coin. Um, and this was by accident. The other side of the coin is privacy. And it’s, it’s not only, am I a secure mechanism that you can access information, but I don’t want visibility or access to the end point that is doing it, which means that your users can actually maintain a hundred percent of their privacy while accessing information from a secure enterprise. And there’s no chance of, of corruption, loss of information, intercepts, download, et cetera. 

Kevin Long: And since you’re only doing change pixels, nothing sits on the end device. 

Jared Shepard: Correct. Yep. It’s, it’s the change pixels are riding over themselves constantly. The telemetry is hashed and encrypted and sent in and translated into an action and it’s asynchronous. So the beauty of why that’s important is when it’s asynchronous, it means that you couldn’t run a keystroke logger or anything else like that because you’d have nothing to tie it to. You couldn’t tie it to an image.

Adam McNair: So that’s fascinating. I will tell you, I’ve, I spent years with different customers trying to solve the bring your own device, mobile device. And there were always all of those issues you’re talking about, because first off, if it is a trusted device that’s a government device, you have all of these issues of, well, what if somebody loses it? How do we have encryption of the data going to the device and then encryption on all the data at rest on the device? And I was part of a program one time where we wanted to make sure that these devices, they would travel with government and contractor users around the domestic US, but it was really important to us for a lot of reasons that if it ever left the continental United States that it couldn’t be used. So we had all kinds of complex geofencing that was built so that if they ever drove across the Canadian border, the device would start to wipe itself. But then you ask yourself all these questions. What if somebody is being malicious and they put it in a Faraday case? Drop it in a Faraday bag. Yeah. Drop it in a Faraday bag and all of a sudden you can’t do that anymore. And so then you said, okay, well, what if we have it so every time it goes into some something like that and loses its signal that it wipes. Well, They go through a train tunnel, we don’t want their device to wipe, so, and the complexity of those conversations would, I mean, we’re talking about months of planning and discussion and trying things, and then, the other side, when you would get user owned devices, and they get very touchy, understandably, very touchy about what are you putting on my device? This thing sits on my device, and you’d have some customers that would say, okay, well, if you’re going to use it for our enterprise, we’re going to take your entire device over. And I don’t want you to encrypt all my own data. 

Kevin Long: We get to wipe your device when, when you leave the organization, 

Jared Shepard: right? Oh, well, I mean, you know, and fascinating. One of the things that’s just come out of this, again, we started out as a cyber platform, right? But what’s come out of this though, from a privacy standpoint, it is something that we hadn’t anticipated. And the army and the army national guard really looked at this at depth, which is the liability piece. So look at a BYOD case, you know, for the army or for the national guard. I’m going to allow Sergeant Snuffy to access Nippernet, okay, from his own device. So my choices are using like an MDM, so Endpoint Management, right, or a platform like mine. Well, the problem with an Endpoint Management of any kind, MDM of any kind, it doesn’t matter which brand you’re thinking of, is that it has specific visibilities into the platform. Now, of course, MDM guys will say, No, you can isolate that. We don’t want to see what’s going on in their phone. Well, you say that right up until Sergeant Snuffy surfs the wrong website. And gets malware from that website. And when that malware then acts against the security container, the MDM will then report that. So now you have this paradigm problem where you have, Hey, I have an end point user who Sergeant snuffy just flagged for maybe a malicious code, and maybe it’s known malicious code that’s associated with an illegal activity of some kind. Kitty porn, something else like that, right? So now you legally as a government organization, have an obligation to do an investigation into something that you had no constitutional right to have access to in the first place. That’s just a liability that nobody wants. I don’t want to know what Sergeant Snuffy is doing on his phone in his own time. Sergeant Snuffy doesn’t want the army to know what he’s doing on his phone in his own time. But I still need to empower Sergeant Snuffy to have access to an official communications channel.

Adam McNair: Well, and another unintended effect and kind of time sink that I’ve seen is, you know, like you’re talking about that responsibility once you as as the government have that information. or as their contractor. It is your responsibility to look at it. You can’t just say we had this data that was reported to us and then something happened six months later and you say, well, we don’t look at those logs.

Jared Shepard: Well, you know, in fact, it’s actually changed. So now you don’t have that choice anymore. So if you look at the Cybersecurity Act of 2022 that just passed, the Cybersecurity Act of 2022 says any managed endpoint Which is both, you know, BYOD or government that is, is compromised with malware must be reported all the way up to CISA. So now if you’re, you know, a defense industrial based customer, like a Boeing, Lockheed, Northrop, booze, whoever, right. Do you really want to report that one of your employees had their device compromised from, uh, a bad actor software because they were browsing the wrong kind of website. You want to report that to CISA? Nobody wants that. 

Adam McNair: Now, and you’re right. We are put in those situations. I mean, Kevin and I had been in spots before where, you know, just because somebody had what was clearly, we believed an innocent, unintended issue with a device that got compromised and we’re having to tell them, and we’re and all the way up chain that there was a compromised device, it does put you in a negative spot. So there’s another aspect of that. As we were having conversations about CMMC at Highlight and we were preparing for it and we were gearing up for it. One of the most challenging conversations that we had was we had an MDM in place already. And. We overlaid the CMMC requirements over top of the MDM features that we had, and that Venn diagram was impossible to complete. Every time we would look at a tool that we had, or a tool that we could buy, because what we were hoping for was from both a cost and simplicity of architecture and everything else, we just wanted to have one tool. Plus, you know, there’s also some aspects that when you start to lay a bunch of different security tools over top of each other, one of them can’t tell what the other one is doing, and it, you know, you can actually end up kind of a mess that way. But, so we wanted to end up with one MDM, and we were having really difficult times finding something that was appropriate for the scale of our organization that was compatible with the other tools that we already had, that wouldn’t require us to rip a whole bunch of stuff out, And that also wasn’t going to be the world’s most complex cobbled together. Okay. Well, what does this tool do? It only does this little log aggregation. That’s all it does. And we have this extra thing. 

Kevin Long: Impossible to manage or impossible to do work with. 

Adam McNair: Yeah. Right. And, and also some pretty significant potential for like really bad user experience. You know, uh, you know, welcome to Highlight. Here’s your mobile device. Install these 14 apps and just log into these. things. And some of these logins are unique and they expire every, every, you know, 30 days. But what I’m hearing is that CMC issue is a huge one because the defense industrial base, the conversations, as I was sitting on the advisory board at one point, when I first heard about CMC, I’m like, yeah, we’re a defense contractor. We need to be able to support this. And we’d be on some of these calls and there’d be a company that says, look, I make rivets. I make rivets for various airplanes and DoD buys some of them, like, because I’m used to the idea that we have all this data and we’re used to data security and all of these kinds of things. Not that we are a manufacturer or, you know, somebody that decided to sell some tires to DoD and now all of a sudden I’m, you know, a supplier under those terms and need to, you know, safeguard data. So it sounds like Hypori is A potential way that you don’t have to deal with any of that. I mean, is that 

Jared Shepard: basically the way your construct works? Well, I, I, I wish I could say it was that easy of a big magic wand. Right. So let me unpack what you just said a little bit. So one is, you know, MDM has its place in infrastructures, right? And I’m definitely not saying I’m the replacement for MDM, I’m an alternative when you talk about BYOD to MDM on an endpoint. But like, if you’re an MDM shop already and you’ve deployed for instance, like Microsoft Intune and you’re using it. Because it’s integrated with all the rest of your Active Directory tool sets, et cetera. And that’s good for you. Great. Deploy inside of Hyperi and manage the virtual device rather than managing the physical end point. Right. So if you start to think about MDM really was, it didn’t start out as a security tool. It started out as an inventory management tool. And if you need that in your enterprise, it’s still a very strong tool to use. But now you look across the defense industrial base, you know, what you’re talking about, like people who have to be CMMC 2. 0 compliant, look at the problem set of how do I get access to GCC high and how do I protect that? And you know, how do I meet all the CMMC 2. 0 requirements? One of the fascinating things like is people say, well, MDM. Okay. So who are the largest MDM providers right now in the DOD? MobileIron, AirWatch, and Microsoft Intune, right? Okay, so do you know who all Microsoft Federal uses for BYOD? The reason for that isn’t because I’m I’m better or worse than Intune. I’m not Intune. I’m not. I’m not an endpoint management platform, right? Which is what MDM is. The reason for that is, is because Microsoft is faced with the problem that Microsoft Federal is faced with the problem, specifically that the rest of the defense industrial base is largely faced with two, especially the larger guys, the Boeing’s, the Accenture’s, the Lockheed’s. Is that they have more than one security environment that their employee needs access to an MDM can only actually manage one security environment on an endpoint. So now think about that. Why is that important? Well, because the employee of Boeing has to have access to boeing. com and boeing. gov or dot us, right? So they need to have access to both their HR side of the house, which is big corporate headquarters. And then they need to have access to GCC high for government customer related activities. How do you do that from one endpoint? Well, I mean, MDM can only address one of those two, it can’t address both. We can address both, and we can enable you to not have to issue an additional phone for GCCi and manage an additional entire endpoint management platform, right, etc. So, again, like, having Microsoft, you know, being a user and consumer of Hyperi kind of goes to show that I’m not a competitor to MDM, nor am I MDM, nor do I, do I propose to be. I’m an alternative solution to, to the way in which, from a Zero Trust standpoint, you treat endpoints. 

Adam McNair: I see a lot of tools that, MDMs are the same as kind of all the different families of tools. It’s very common that whatever they started as, And evolved to they’re always better at whatever they started at Than all of the other things that have been added on and so, you know, you’re right I’ve seen a lot of times what was really asset management or patch management Was kind of the core that then said like we’re just going to manage all these endpoints with this thing And 

Jared Shepard: remember that that’s what cyber security started out as as policy and ultimately software management, you know patch management 

Adam McNair: Right. We’re only going to deploy locked down versions, and we ought to at least have an inventory so we know 

Jared Shepard: what we have. And that’s where I challenge also, too, the idea, we talked about Zero Trust and ZTA, right? I challenge the idea of Zero Trust in that you can’t tell me that you’re a Zero Trust platform if the first step of being Zero Trust is you have to control the endpoint. Because controlling the endpoint implies trust. Control the word itself in control implies trust, right? So if you’re truly a zero trust platform, you should allow any endpoints to have access to your environment and you have to validate who they are, are they accessing from a known device? Are they accessing information that’s relevant to them? Right. You know, so it’s this multiple layer of reaffirming, not trusting, but reaffirming you are who you are. You’re accessing from a device you’re supposed to be accessing from. You’re getting to the data you’re supposed to be getting to. Okay. You’re only doing what you’re supposed to be doing with that data. And so, you know, what we focus on is making sure that that endpoint does not present a challenge or a break in the chain of zero trust. You know, 

Adam McNair: what you’ve deployed at a high level. I know you mentioned the Army and you’ve mentioned the Guard and the Reserves. What’s the superstar use case that brought this up?

Jared Shepard: I mean, we have a lot, but I would say that how we started really in the Fed, um, was actually a very, unique use case in a very unique customer set. But but where it grew to is is the NSA has a program called commercial solutions for classified or CSFC. Um, we are, I believe now the largest NSA CSFC deployed platform in the Department of Defense as well. So, you know, for instance, U. S. SOCOM uses us at scale and other organizations uses at scale for mobile access to classified. Now that is not BYOD to classified. I don’t think there ever will be a BYOD for classified. I hope there isn’t. So that’s a managed GFE endpoint that then can following the NSA’s guidance, certain protocols get access to a classified network. You can use HyPORI for that. We are one of the authorized vendors for that. And I think the, one of the largest deployed vendors for that out there. And of course, why the NSA likes us for that purpose. Is the no data in transit, no data at rest from same reason why now you look at the army, what the army is looking at it for. And they’re in the process of deploying 20, their first 20, 000 users. And then going to scale. If you listen to Mr. McNeil, who was, you know, at the National Guard Bureau, one of our, our biggest advocates, uh, uh, you know, he pushed really, really hard for this as a guard solution, because remember we talked about, you know, the defense industrial base and. You know what happens if you need access to dot com and dot U. S. Well, think about that from a guardsman standpoint or reservist standpoint who has a day job and that day job may require that he has an M. D. M. On his phone, right? Well, then how does he access the nipper net to do his guard work on the weekends or, you know, during during drill time? If he already has an MDM on his device, you can’t have two, you can’t have two security containers, right? So Hypori solves that for the garden reserve or what they call COMPO2, COMPO3. Um, it solves it for that side of the house at massive scale. It gives people who, who would normally have to drive 30 minutes into an armory to get access to Nippernet just to do basic NCERs or OERs and that kind of thing. It gives them access and the ability to be way more productive in a more convenient way at scale. And then the Army, of course, you know, with which, you know, led by Dr. Iyer and General Morrison, that, you know, G6 of the Army and the CIO of the Army, you know, they’ve looked at this as an opportunity, uh, to also improve efficiencies across the Army, improve access out at scale, uh, reduce maybe the actual physical infrastructure requirements that are actually on NIPRNet because, you know, does NIPRNet really need to be this all expansive, all camp, post and station encompassing thing, or does it become an access platform that you do CUI and unclassified based information, right? And and the reason why we’re really looked at not only we have CSFC platform, but we talk about your PKI certificate in that cap card is a CUI certificate. Which means if you’re using an endpoint management platform of any kind, you’re storing a CUI certificate on an uncontrolled endpoint. And that becomes problematic, right? So, so we solved that because we use a corporate certificate on the external side of the tunnel. You actually would resolve against your personal PKI certificate inside the VM. Which means there is no CUI certificates ever in transit or at rest, public or private key, uh, in our solutions. So it offers a lot of ways to solve problems for the Army on the unclassified side of the house, both the Army, the Army Guard, Army Reserve. I’d also argue the other components as well, and hopefully some of them are going to participate in this pilot with us, uh, as well.

Adam McNair: So that makes a tremendous amount of sense. The idea of anytime you have somebody that is a periodic Or part time, you know, when I think about all the customers we’ve supported over the years, uh, FEMA, when there are disasters and you’re going to get a bunch of different people that might be from everywhere. I mean, you get state, you get local, you get all kinds of groups. I’ve done a lot of DHS work in the past where one of the biggest challenges was. You have something at the DHS level that is classified and maybe it’s secret, maybe it’s lower than that, but state and local doesn’t have that kind of clearance. And so you can’t give them a device that they can put that information on. So those kinds of use cases that we pretty much just had to say, well, We’re going to have to throw people at this. We’re going to have to have 

Jared Shepard: people sit down and buy more infrastructure and build more infrastructure, right? You know, and you’re actually speaking to, you know, part of our larger public sector sales approach is like, look at that FEMA, that use case, that perfect use case, right? Okay. A hurricane hits FEMA shows up. Well, who else shows up? Well, the army may, the army may show up for a red cross shows up. National guard may show up state and local shows up. Volunteers show up other governmental organizations, but you have potentially show up, you know, it becomes a nightmare of collaboration. Right. And historically, like FEMA literally shows up with transit cases, full of radios to hand out. Right. And they try to figure out how do we truncate from radio system A to radio system B, and how do we talk to state patrol versus how do we talk to the national guard? This is a problem set they’ve always had right across the board. Well, do you know what every single one of those people have?

Adam McNair: Smartphone their own smartphone right 

Jared Shepard: now. Imagine if in an emergency environment that you could stand up a provisional cell phone network or if the native cell phone network works, all you had to do is send out an encrypted certificate ultimately to the end point that you would actually scan and all of a sudden, you know, QR code. That was a, that was a word I was looking for. You send out an encrypted QR code to anybody who you want to participate. They download the app and their provision. Now they’re in your environment. They’re securely command and controlling within your environment and they have visibility of each other. They can securely share information and pass information between each other. But Oh, by the way, when it’s, when the exercise is done or when the event is done and you deprovision everybody. They’ve never been in possession of the data, which means there’s no loss of HIPAA. There’s no loss of PII. There’s no loss of government sensitive information, TTPs, everything else like that, right? Because you’ve contained that all within the enterprise environment that simply was just managed in cloud or, you know, in some of our customer use cases in a vehicle mounted a rack where they have a deployable, you know, platform. 

Adam McNair: I’m thinking about so many times where we had those kinds of challenges. I’ve also done a lot of inspection type programs where we were building the apps for inspections and inspectors are going out and whether it’s food facilities, whether it’s mines, whether it’s national parks, there’s all kinds of Inspectors that go out and it’s a pretty common use case for the government. You know, if you need to have somebody go through and inspect a zillion miles of road for the National Park Service, that’s exactly the kind of thing where they will go out and say, look, we’re going to go hire somebody for, you know, 300 hours, and they’re going to go out and do this and send a report in and The amount of infrastructure that it took to provision devices and send them to those people and FedEx them to their house. And then when it’s lost or it’s broken, now it’s off schedule because now they can’t get a different one. And now we have to reprovision and everybody that gets something like that seems to either forget to return it or they lose it Where it got dropped and broken and 

Jared Shepard: well, and remember guys, this isn’t a problem unique to the government, right? The commercial world faces this too. Like look at the sec has dealt, doled out like, you know, over 10 billion in fines, but that may be overstated. It may be over, I think it’s like one and a half billion in fines to banks, you know, because of sec violations during, during COVID all of a sudden people were texting their, their customers. Financially sensitive information in a non logged environment, right? Well, so, so now you got, you got regulated healthcare, regulated healthcare, same problem HIPAA. I mean, HIPAA is chomping at the bit to go after some of these healthcare providers over COVID who have essentially just disregarded HIPAA regulations on protecting information, you know, patient information. You know, anywhere that you are interested in protecting information sets, data sets, you know, heck the special Olympics selected us because they thought they were going into Russia to do the next special Olympics. Well, why is that a problem? Do I mean, we probably don’t have to say that for this audience, right? But, but of course the worst thing that could ever happen is, you know, at the finals of the special Olympics, all of a sudden the data becomes ransomed. And if you want to finish the Olympics, you’re going to have to pay a 10 million ransom to get your data back. That’s like a nightmare scenario for that kind of environment, right? So they had already selected us as their entire mobile platform for that as well. And it all comes back to data at rest, data in transit. How do I allow a zero trust environment that I assume the endpoint is potentially an aggressor platform? Either malicious, like knowingly or unknowingly by the endpoint user, you know, how do I enable that to interact with my environment in a safe and secure way?

Adam McNair: So what’s next for your platform and your tool set? Are you focusing on just continuing to expand and take this to additional customers and additional markets? Or is there, is there some next, you know, big leap? But it sounds like, I mean, the capability that you have sounds truly next generation kind of thinking. So is what’s next? Just continuing to take this to organizations that don’t realize how much. They don’t realize how much easier some of these, you know, these challenges they’re facing and having to throw people and infrastructure at could be.

Jared Shepard: So, you know, the BYOD problem set is obviously that’s where we’re attacking right now, because we think we’re a completely new solution. We don’t really believe we have any pure technologies out there that do what we do. And it’s a new approach to a very old idea, right? That the beauty of this is the simplicity of it. If you think about it. What we’ve done is we go back to the mainframe days. We essentially just created the ability to for you to have an unlimited amount of dumb terminals on the edge that can interact with data but don’t actually present any risk to the data. But why is that evolutionary for us? And why do we know? What do we think that what’s next is, right? I do believe I’m going to grow and scale and take over most regulated data space when it comes to endpoint BYOD access, that kind of thing. But bigger than that, I think we can have a new conversation about how endpoint works as a whole. So when I say that is like if I show you Hypori running in a high performance cloud environment right now, that operating system, if we did a bandwidth test, will pass four to six gigs of bandwidth, gigs. To an endpoint that has a 3G connection or a 4G connection or a wifi connection, right? Because remember, the operating system isn’t actually on the endpoint, it’s on the backbone of the data fabric, right? Oh, by the way, that’s also the same for processing course. So if, if you, if you have a handset in your hand, one of the, you’ll say like for instance, this is the I, I carry the Samsung S 22 Ultra, right? It’s a great phone, one of the highest performing phones on the market right now. But if you run a benchmark against Hypori running in a high performance cloud environment, I’ll beat that phone by 40%. So you start to think about what are the implications of that? What if you could get to Hypori from a television, from your 72 inch TV? How many PCs do you have in your house, right? What if you could get to it from your 72 inch TV? app, have a Bluetooth keyboard and mouse, and now you have a faster performing computer than what you could go buy from Best Buy.

Adam McNair: I didn’t even consider the speed aspect of it. I mean, 

Kevin Long: yeah, more secure, more secure and processed in the cloud where you have. Unlimited vertical and horizontal scaling of processing.

Jared Shepard: We literally joke. We say, hey, look, I’m putting the power of cloud in your hand, right? You know, because if you start to think about that as the technology advances, you know, we’re going to, we’re moving more towards a Kubernetes base and container lists, you know, serverless data platform, etc. But could you imagine an environment in cloud where I could dynamically apply resources against your need for an incremental period of time? Right? So for instance, you do something really heavy. I throw 32 processing cores against you and 32 gigs of RAM against it. And, and then the minute that that requirement is done, you know, a couple of seconds later, I, I, I, I down provision you back down to a handful of processors again.

Kevin Long: And the only thing that you ever see on your handset is the pixel change. That’s all. 

Jared Shepard: Well, so you look at like what was required for technology like this to become relevant. A couple of things. One was this technology has been around for a while, right? You know, so, okay, so why didn’t it take off four years ago or five years ago? Well, a couple of things had to change. One of them was an event, right? One of the biggest events of our lives is COVID, right? Because pre COVID, If you had walked into the government or walked into a major bank or anything else like that and said, Hey, how are you going to allow 80 percent of your workforce to work from home? You’d have been laughed out of the room. 

Kevin Long: Right, right. Yeah. We’ll let them work from this cubicle. It’s fine. 

Jared Shepard: Yeah. Today it’s a very different conversation, right? We now understand the reality of having to empower people to work remotely. There were also the evolution of two technologies were really necessary to make this work and work as, as effectively in that scale as it does too, which was, and they both kind of came together at the same time, which is a perfect storm for us. One was Cloud, right? The actual literal ability for cloud to mature, it became to its mature stamps to a point that it is today, where you can apply, like you said, unlimited resources vertically or horizontally, you know, in a cloud environment and be able to do so dynamically. And when you think about the way people use a mobile device, that incremental compute, you know, that I use it for a little while, then I don’t use it.

That’s perfect for cloud, right? Nobody. You know, you put it in your own data center, something that you’re gonna run 24 hours a day, seven days a week, but that’s not what we use mobile operating systems for or even a desktop operating system for, right? Um, so cloud is beautiful for that. The other thing that was required is, well, five G, the idea of a high bandwidth, but less less important about bandwidth. More about latency, a low latency access network that’s accessible from anywhere. Because, you know, in the end, the enemy of all virtualization is latency and dirty networks, right? But so in an environment that has very, very low latency with unlimited resources in cloud, all of a sudden we could change the way edge compute is considered.

I 

Kevin Long: mean, low latency, but also, I mean, You don’t need 5G bandwidth for that because you’re not sending, I mean, 3G bandwidth works for you. The beauty of 5G for us is less 

Jared Shepard: about the bandwidth, it’s more about the low latency. latency. 

Adam McNair: Yeah. And that was always what would happen is if anybody was going to, when you tried to do something virtualized like that, whether it was virtual desktop or any of the, you know, those kind of tools, as soon as there’s latency, then your customers go like, I This thing, and, and I’ve tried to use some things before, where you, you felt like you were, it’s like the old Apollo 13 stuff, where you were typing and then all, 

Jared Shepard: yeah, 

Adam McNair: yeah, yeah, well, it’s fascinating and exciting to have something that is truly without category. I mean, because it usually, I think, means there, there, there was a point where. This cloud thing wasn’t a category because best data center solution was the category. Yeah, originally 

Jared Shepard: it was called outsourced data centers, right? Yeah. Right, right. 

Adam McNair: Um, so I mean, that’s really fascinating. Congratulations on, on what you guys have, have built. If somebody wants more information, they’re interested in it and they’d like to talk to you, what’s the best way to get in touch with you guys? 

Jared Shepard: Sure. I mean, you know, just like everybody else would go to our website, which is, you know, www. hypori. com, which is H Y P O R I. com. You can find us on LinkedIn. You can find us, you know, any number of mechanisms and social media, et cetera. And, you know, we got a great team. You know, we are, we are still a small business, right? We’re a better known business, but we’re growing rapidly. We’re building out our capabilities. We’re looking for great partners. We’re looking for great customers. We’re looking for great ideas. So, you know, just reach out to us. You want to see what we’re doing? You want to try it out? You don’t believe us. You want to throw the BS flag on me. You can do that. And then once we show it to you, you can then become a, an advocate and go and advocate for us out there.

Adam McNair: Fantastic. Thank you so much. This has been a fantastic conversation. And it really is, you know, these are the parts of technology where you see broad reaching impact that are positive and bring security and apply that to the use cases in the government where it is going to save lives or. It’s, it’s going to allow better disaster response. There’s so many things, you know, it’s going to avoid data leaks and security problems. There, there’s so many positive things. It gets really exciting, uh, you know, for somebody like me who has just always worked federal government. Yeah. 

Jared Shepard: We’ve been really excited. I mean, you know, again, having leadership that is willing to be a change agent because change is difficult. It’s, it’s not human nature. Everybody resists it. But having guys like Dr. Eyre, like Ken McNeil, General Morrison, who are really willing to take some risk and push out change has been pivotal for us. 

Adam McNair: Fantastic. So, look, thanks again for joining us. Thanks, everybody, for listening to the Highlight Cast. You can keep up to date with Highlight, our news and activities. Follow us on LinkedIn or our website, HighlightTech. com. On a weekly basis, I’ll, I usually have some content going out off of LinkedIn for topics of relevance to the GovCon community. Tune in again for our next episode, we will, you can watch our LinkedIn for when that’ll be posted. Uh, thanks again to Jared Shepard from Hyperi, thanks again Kevin, thanks so much and we’ll see you next time.

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect highlight technologies and or any agency of the U. S. government.

Announcement: Broadcasting from Fairfax, Virginia, you are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Hello, everybody. This is Adam McNair with another episode of the Highlight Cast. Uh, today we are joined, as always, by Hey, Kevin, how are you? I’m great, Adam. How about yourself? Good. Thanks. Also, uh, special guests. We’re very excited to have, uh, Brian Kroger, who’s the CEO of Rise8. Brian, how you doing? 

Bryon Kroger: I’m doing great. Thanks for having me. 

Adam McNair: Good. So, glad to be able to get together here to talk a little bit about CATO. Now, I will confess, I mean, I’ve been in circles and we’ve talked about it a little bit, but I do think it is not as commonplace in conversation as, you know, it hasn’t become ubiquitous and everybody, everybody knows what cloud is now. Everybody knows, I think, what DevSecOps is, and even if you don’t know the finer detailed points of it, you kind of get the general idea. But, um, Brian, would you give us kind of your rundown of, you know, what is

Bryon Kroger: Yeah, absolutely. Uh, so unfortunately I came up with the name, uh, or the moniker. It was, uh, you know, when we were doing Kessel Run, we liked to brand things for marketing purposes. Uh, like the name Kessel Run itself, uh, which I know y’all are familiar with. Absolutely. Um, but, uh, you know, The real underlying core principle was making RMF continuous, but continuous RMF didn’t sound nearly as exciting and marketable. The thing that everybody wanted at the time was an ATO. And in fact, many folks, and we’ll hopefully talk about this later, wanted to avoid the RMF So, you know, we chose that name. I kind of regret it because people stopped focusing on the RMF piece, but it was really about, uh, making RMF indistinguishable from the software development life cycle. So how do you incorporate. all of the steps of RMF during continuous delivery and continuous deployment of software using DevSecOps.

Adam McNair: Gotcha. And so now if, if anybody isn’t kind of, they haven’t been in that domain before, you know, my, my lay person’s description of, of RMF is, Is really the, the security authorization process across the federal government has evolved over the years. It started out an early on assessment where you were going to do a security assessment of a system and you got authority to operate that system and they would, they did what they called a certification and accreditation process, uh, which really was you came in and looked one time. And, and over time they decided, well, wait a second, you know, incremental changes to systems and when we’re patching things and changing things and adding modules, there should be some sort of a relook at this periodically. And so these ATO’s shouldn’t last, you know, kind of forever. And then on the, on the DOD side, the risk management framework is really. That kind of iterative process where you, you come in and there’s, you know, scans and paperwork and various things that you do. But, you know, I would, I would, it feels to me a little bit and you guys tell me if this seems accurate, but it feels a little bit like the same challenge you would have. With in DevSecOps, anything that was kind of waterfall like anything that was like a big long term activity, everything changes too fast. And so from a security perspective, when you go tell somebody, hey, don’t worry, we’re going to deploy code like every day. They’re like, well, but you can do that, but then we have to re scan everything and re look at all of it for security reasons. So what we’re talking about here is security theory catching up to the DevSecOps delivery model. 

Kevin Long: Is that a fair way to look at it? It’s what let the sec go into DevOps really. If you’re, if you’re continually delivering code, you have to be continually delivering security as well. It has to be baked into it 

Bryon Kroger: as part of it. Yeah, one thing I’ll mention there too is, you know, it’s always important to distinguish between security and compliance. Um, you know, that it’s an overlapping Venn diagram and necessarily so compliance is always going to lag the leading edge of security. So, uh, you know, we like to say compliance and, but absolutely compliance is the starting place for a good security posture. And, um, you’re absolutely right in that that’s the way it was being practiced. I would say though that, um, you know, one of the first things my team and I did was we really dove into NIST RMF, into FISMA, uh, into all the various aspects of federal compliance. And much like when I dove into the Federal Acquisition Regulation, I was surprised to find that not only did the policy support doing things this way, it actually actively encouraged it. Even though it was written Uh, you know, before DevSecOps was really a thing, a lot of the, um, underlying values and principles about, uh, doing things iteratively, doing them continuously, uh, using the latest and greatest technology, um, not ascribing it to a particular technology, I mean, all the things that we would want, uh, so I would say NIST RMF, you know, there are some controls that need updating, don’t get me wrong if I could Have a hack at it. There’s lots of things that I would, you know, want to change, but by and large, it generally supports the things that we need to do to achieve DevSecOps. 

Adam McNair: Yeah, and I do think, I also, I’ve seen that in a lot of different areas where it is almost folklore that a thing won’t work. You know, they say, like, I don’t think we’re allowed to do that. And it’s, it is because, frankly, I think one of the things that happens is most people aren’t going to take the time to go crack open all the NIST controls, the FAR, like they’re, they’re, they’re, they’re, they’re not going to do that. And so you kind of get anecdotal evidence, which somebody will say, well, you can’t do that. And what they mean is. in a particular situation for a specific use case when we tried to do something somebody told us no but it gets so complicated as to why they may or may not have been told no that a lot of times um you know I’ve seen you know cloud be that way for for example you know they I there was a lot of conversation early on about you can’t just put all of this data someplace it’s not secure and there were non secure clouds that didn’t mean that you couldn’t have a secure one. So for CATO, um, what really is the driving kind of mechanism behind it? Like, how do you know, if you’re, if you have somebody that is, you know, currently been doing a, um, uh, an ATO process that is not as flexible and iterative, how, how, you know, what, what’s the, the, the way to, Start going down a CATO path.

Bryon Kroger: It’s to start by actually doing RMF, uh, the way that it was intended. And I say that because, um, in a lot of waterfall, you know, acquisition type programs that you see in federal government. Uh, much like testing and everything else, it was done at the end, right? We do all of our, uh, requirements generation, then we go into design and then we go into build and then we go into test and then we go into cybersecurity. Uh, and so it wasn’t done concurrently with the life cycle of software development. So that’s the first step, you know, because I think there’s this misunderstanding that continuous ATO means I don’t have to do RMF anymore, uh, that I don’t have to produce standard, uh, you know, RMF or ATO documentation, what we call the body of evidence. Um, and while there are cases of people not doing that, I, I think that’s a horrible practice. And, uh, the way to get started is to really, when you’re starting a DevSecOps initiative in particular. I don’t believe that you can really do continuous ATO if you’re not doing continuous delivery. Doesn’t really make sense, right? Um, right. And so if you’re going to start a program that’s focused on continuous delivery, you immediately need to start preparing for that, which is the first step of RMF. And, um, you know, some of the things that you’re going to have to think about is, uh, you know, there are hundreds of controls, depending on what overlays you’re dealing with. There might be a thousand plus controls, uh, that you’re going to have to deal with. And obviously you can’t update those if you’re deploying once a week, you can’t update all 1000 controls once a week. So you have to figure out how to modularize your control selection by mapping the different layers of the tech stack. And then you really want to focus on where am I going to have the highest velocity of change. Because that’s the layer where you’re going to need the most automation, you know, a lot of people will be critical. They’re like, Oh, we still haven’t really automated this, this, this, you know, well, you don’t have to automate everything. You need to automate the most time consuming parts first. And what we find almost universally is that’s at the application layer. And so, um, that’s an area where you need a Automation and tooling and the industry had some, some good options. Um, but I would, I would say that that’s really important, mapping your controls across your tech stack, and then understanding where you need to apply automation and more importantly, where you don’t

Adam McNair: when something else that I’m really hearing too, is. You have to embrace the philosophy that this is important and it needs to be integrated. You know, I think that do it after type, whether, whether you apply that to, you know, when you’re going to document a system, I’ve, I’ve worked on programs before that. It’s like, okay, we’re done. Now. It’s time to document what we did. You know, like it’s, uh, that’s really not the way, I mean, you’re going to be here forever and you’re not going to find or remember and so forth. And the other thing it sounds a lot like, you know, from a compliance standpoint, you know, we have a lot of ISO certifications, some CMMI. You know, maturity and the, I’ve, I’ve worked at and worked with a lot of organizations that treat that as a compliance after the fact activity, because they don’t see value in it really at from, from a business standpoint. So in the same way that, you know, somebody doesn’t see value in the RMF process. They don’t think it’s really that they think it’s something they have to do. They have to be compliant with. And then let me get back to, you know, building my, my software. And I’ve seen a lot of times where you have an ISO audit coming up at, you know, the end of, you know, you re have to actually recertify every like three years. I, I, I won’t say their names, but I worked with a program that every three years they would go down and send a whole bunch of people from headquarters down to this program and start, what all are we supposed to have? Oh, no, none of these documents were updated. Oh, we got to do this. And because of that. There wasn’t any value derived from those methodologies onto those programs, which made everybody on the program feel like this was a fake paperwork exercise because it essentially was. And so then there’s nothing more frustrating than sitting out filling paperwork out just for no other reason than to have it be filled out. So then everybody’s irritated that they have to do it. So I, I’ve definitely been on programs where the R. M. F. process was, you know, one guy. Okay. In the corner, and you were just like, get this stuff filled out so we can continue to security theater. Yeah. Yeah. But so what I’m hearing is that if you if you really adopt the idea that this is something that you should have integrated, you know, do you believe that when you incorporate NIST control thinking and all of this, do you end up with a better application at the end of the day?

Bryon Kroger: Absolutely. Yeah, absolutely. I mean, just look at the number of like misconfigured S3 bucket incidents there are. And, you know, this is an area where I take issues sometimes of, of all of the RMF critics. Like I said, don’t get me wrong. There are things I would love to change about RMF, but, um, you know, things like security. Uh, especially when people are just starting out in their Agile DevSecOps journey, they kind of like to throw out process and planning. And they’re like, Agile means no planning. Agile means no process, um, and no documentation. Uh, and then this other thing that we, we see a lot is, um, you know, they’re, they’re not focused on, uh, what it means for their future agility. Right. So like the, the fastest way to shut down a program today is to have a security incident. So, you know, if that, that should be a motivator. The other one is it’s also the law, right? It’s worth noting that NIST, uh, RMF is, is how federal agencies have decided to meet the FISMA requirement, which is an act, a law. So there’s that too. Um, but it turns out that, you know, Agility as a process lends itself well to, um, areas of uncertainty, right? When we don’t know exactly what we need, uh, agility is a mindset, a culture, uh, and a set of corresponding actions that we can take on to learn, right? We learn as we go and as we iterate, but there are things. When you have a known issue, right? There’s no uncertainty here. Like we know about 500 security vulnerabilities. It turns out agile is not appropriate for dealing with 500 known security vulnerabilities. Lean Six Sigma is right. So like, um, it’s a misapplication of process. And, and I think it’s really important to understand that, uh, you know, yes, sometimes checklists work and are beneficial. Like when you have known vulnerabilities, known information security standards and protocols and secure implementation guidance, we need to keep those things up to date too. So there’s criticism on that side as well, but, um, it’s super important. I mean, uh, the, uh, And, and, and one thing that you said, you know, it’s just natural human behavior that folks are, uh, particularly when they’re not good at delivery, right there, their entire focus is on delivering the value first, however, by any means necessary. And so the way you get people to shift left on security is by freeing up their focus, their attention, their resources. by making, uh, the path to prod have less toil in it. So like step one, before we even really talk about this is creating a well oiled it path to production so that people’s time and energy, they’re not putting out fires all day long and they can actually focus on security and then. There’s natural human behavior. So I think it’s still important to have things like spot checks, pen tests. And when you do those on a quarterly basis or a monthly basis, even you get out of the, like, uh, I’m just going to kick the can on that until year three.

Adam McNair: And, and I also. You know, I, I have historically always been, I don’t like doing things that don’t have benefit to them, you know? So if you just give me paperwork to fill out, I’m the first person that, that will really not want to do it. And what I’ve seen is, you know, so we, as we went through the CMMC, Uh, exercise as a company. Um, you know, we spent a lot of time with the NIST controls, making sure that we were CMMC compliant. Um, as we’ve done all of the ISO and CMMI scaling that we’ve done, uh, you know, there were things that we. ended up implementing that seemed like good, you know, good things to implement, but we were probably not necessary at the time. Where you find out is you get later down the road and, you know, just, just some of these, some of the simple NIST controls around things like, you know, administrator accounts and, you know, all of those kinds of things. As our IT team has grown and changed and evolved, we would get ready to do something new and realize that we had Because we had followed, you know, a best practice with guidance in it, like, like NIST, that there was thinking that we didn’t even realize we had taken advantage of, so that at such a time that we needed to, for example, create a CUI enclave to, you know, uh, partition off Controlled information. We had all kinds of abilities in place, and when we had bought tools, we had used those requirements to select tools that had those capabilities, which we didn’t even really need at that time. We were just looking for them to be NIST compliant. So I do think that if. If we could evangelize the idea that a lot of these, these best practices, if, if you haven’t seen the value in them, it’s because you were treating it as a paper compliance drill, and you didn’t take the time to really get into benefit that you could derive from it. Now, I did want to ask another. Question. And this is a as a as a non DevSecOps engineer. So you talked a lot about automation. So from a theory standpoint, automate where you have the most variability, you have the most change. I think that makes a lot of sense because there are I mean, as we’ve done, uh, you know, programs, there are some systems and some parts of systems that are never going to change. And so whatever you wrote down for that control, it’s Three years ago, you can double check it, but there’s, there’s no real material change when you talk about automation in this kind of, uh, of a setting, how do, how does one go about automating that part of the security integration?

Bryon Kroger: So there’s, there’s a lot, uh, to unpack there. So, you know, there’s like a controls level compliance answer, and then there’s, uh, you know, implementation side of the answer. So, um, on the controls piece, there’s a few things we want to do. Like the controls are a massive amount of paperwork. So the first thing we want to do is digitize that. Um, most of the programs we work with use SD elements, uh, as, uh, And I’ll say SD elements favors the developer and is more focused on the developer than, uh, the SCA, the security control assessor, um, or anybody really in the security side. But what it does is it takes those NIST controls and, uh, makes them easier to understand and easier to digest, uh, as tasks that can be put into the developer’s backlog. Right. So not only have I digitized the security control, but now I can push it into a backlog and I create a traceable identifier. And for things that are code level implementations, for instance, I can then link that to their backlog, which then would link to their source code repository. And so if. I’m a security control assessor, I can look at that control, look at the associated task and see how it was implemented. So we’re actually creating a whole bunch of, uh, this, that’s probably the most time consuming part of the whole process, uh, when you’re going through your, your NIST review for assessment and authorization. And so that was a prime area for us. For maybe not automation, still fairly manual, but digitization, uh, and, and having traceable identifiers and then all the way through, yeah, traceability is important and then transparency, right? Like a lot of people on the innovation side, they try to be as like, not transparent as possible for good reason. Because. People often weaponize transparency, but in this case, I think the best policy is to just start out as transparent as possible. You’re giving, uh, assessors and authorizers an unprecedented level of access to things like your backlog, your, your source code, um, and then also, you know, an important part. There’s the static and dynamic code scanning, which is automated, uh, even in the legacy systems, right? Using Fortify for instance, um, but it’s not well automated. And so, often you’re waiting in a queue to get your Fortify scans by some centrally run organization that, um, only has a limited number of people, um, and maybe doesn’t understand your technology either. And so we kind of democratized that a bit in making it a resource that’s available to teams on demand, just like any other cloud resource. Um, it’s self service and it’s on demand, but the rule sets are still owned by assessment and authorization. So you maintain your independence for IV& V, right? And I think some of those concepts are really important. That’s all at the end. Primarily at the application layer, although you could use SD elements at lower layers as well for your entire control implementation. 

Adam McNair: Yeah, I will say that idea of being able to self service scans is, I mean, that could be life changing. I can’t speak for every organization, but I have definitely been up against a wall before where we were just waiting for some organization to scan our stuff. And you’re like, you’re like, cause you just. I mean, it’s like waiting for UPS to show up or something with a package that you need and you’re just like, I can’t believe we just have to sit here and wait and we, you know, then you’re ending up weeks for weeks. And again, I don’t know, every, every agency is different. Every organization is different, but I’ve definitely had times where. You know, you, you were trying to get your customer to call and, you know, beg and cajole the, whoever the security organization was that did the scanning to try to, you know, reprioritize because there was a lot of, there’s a lot of cool stuff that you said, point out that like, that’s, that’s a huge deal. Um, but yeah, so you were continuing, please. 

Bryon Kroger: Yeah, well, I should expand on that really quick too. And that, you know, uh, then what do you do with the, those scan results? That’s always been a problem as well. You’re probably going to have to POAM. There’s probably a bunch of false findings, uh, and a whole, whole bunch of things that, you know, it creates quite a mess sometimes when you get those scan results back and they’re not, especially if the person running those scans doesn’t understand your tech stack. And so, um, there’s, there’s one automated thing that we did. And then one more like manual human based thing that we, we did. And this, again, this, you don’t have to do these things to get CATO. Any AO, uh, in the DOD could do essentially what’s continuous ATO, although there’s new memo out from DOD, uh, on new guidance on this. But, um, what we originally did and intended at Kessel Run, and I can’t speak to where it is now, cause I’m gone, but it was ongoing authorization under NIST 800. And, um, any AO can grant an ongoing authorization and the Kessel Run Continuous ATO was just a specific implementation of ongoing authorization, specifically one that allows you to do DevSecOps. So, uh, going back to the point, you know, you get those scan findings. What do you do with them? Well, we want to digitize the POAM too. And when you digitize the POAM, not only do you get a really. You know, like there’s obvious advantages to just digitizing anything and creating traceability and transparency. Um, but you also can now set up alerts, right? If somebody says I’m going to address this in release five, or I’m going to address this in 90 days, you can actually check up on that. you would. It’s not that people don’t have the intent to do that, but when you have a hundred systems under your purview and a hundred poems, who you just, we just don’t have the manpower to follow up or even know that we need to follow up. And so, um, that’s really powerful. And then the human thing that we did is having the, uh, Authorizing official, uh, and typically they have a SCA, a security controls assessor, hire SCARS, security control assessor representatives who are technical in nature. So like at Kessel Run, we used, uh, Beyond Mission Capable Solutions, BMCS, great team. Um, Dark Wolf, uh, is another firm that provides those kinds of services. They do a really great job of coming in and helping the SCA and the AO who might not know DevSecOps, cloud, anything like that. When you look at some of these folks backgrounds, they’re. They’re risk oriented people, not necessarily technical, really, uh, translate controls into risk, uh, and be able to make sure that the team’s assessment, you know, as they’re going through how they’ve implemented controls is correct. Um, so there’s a lot of advantages there. Um, And then the last area for automation, even though it might not change as frequently, but it’s almost kind of like a freebie that you can get now, especially this didn’t exist when we started, um, or at least not to the degree it does now. But, you know, at the infrastructure layer, there have been so many advancements with infrastructure as code, uh, and the vendors, particularly the AWS and Amazon have actually gotten infrastructure as code templates. ATOed, uh, in their ability to meet a certain subset of controls. Now it’s fairly low in the stack. So if you’re dealing with like 900 NIST controls, it might cover 200, um, depending on what IL we’re talking about, but that’s pretty significant. And so DISA, um, Uh, they just renamed. It was the Cloud Compute Program Office. Now it’s HPCC. I’m butchering it. Uh, something like that. Um, they actually ATOed, uh, AWS’s template. And I, I don’t know if they’ve done Azure yet or not, but I’ve heard that it’s forthcoming. So, um, that’s really powerful, right? So now when I go to start my new program, you know, at Kessel Run, we had to go map the entire infrastructure layer. Now I don’t even have to worry about that. Somebody’s already done that. Disauthorized it. This is IL4. Here’s the ATO. You just worry about what you put on top of AWS and the shared controls, right? And so, um, there’s a shared responsibility model here. And what’s funny is as much as people complain, uh, about this kind of control framework, you know, you see this in commercial when you go to AWS, they give you a shared Responsibility matrix. Here’s what AWS is responsible for. Here’s what we share responsibility for. And here’s what you’re responsible for a customer. And those are essentially controls, right? And so we want to do that same thing in the in the RMF framework. 

Adam McNair: Yeah, and I think all of these. You know, governance and process type activities when you start to scale an organization, you find out that there’s a reason at large scale why these things exist. Because when you when you thought, like you said, you might have. You know, one poem that you can keep track of, it’s not a big deal. When you’ve got a thousand, then all of a sudden, finding the information, if the information has potentially, you know, just awareness that that, that those are things that need to be done and trying to run the knowledge management. You know, gamut of making sure that whatever development team is going to work on that actually knows, you know, because I, you know, a lot of programs that we have, you know, our sprint teams get moved around. And so it’s not necessarily like, you know, you have. you know, one person, and you go over and she’s the developer for that system, and so that’s who you go talk to, and she knows absolutely everything that’s ever happened. You very possibly might have a team that’s just kind of dropping in and, and working on some stuff, and the fact that, oh darn, this thing was supposed to be changed and updated to, to address this poem by such and such a date, that they don’t know. Um, yeah, now Kevin, I got a question for you, and I, some of our DHS programs with Army work there, Kessel Runs, some of these different programs. Where do you feel like developers and the technical staff are these days with the concept of embracing some of, you know, this security process? You know, because I, I, I can visualize and remember at times where I’ve walked into a program and you had developers everywhere and then there was a security person. Right, that had their own cube way somewhere far away. And you could tell that everybody did everything. And it was almost, you know, that the security had to kind of chase them around and go like, Hey, guys, would you, would you please like, I went to go check the documentation repository. Yeah. Yeah. And, and, you know, and then when you got to that point where you’re like, we got to get all this stuff done and get code scanned and get it done so we can get our ATO renewed, then all of a sudden, you know, some customer would come in and go, you know, like, nobody’s listening to the security guy and everybody needs, like, we’re running out of time. So where do you see that, you know, technology theory has changed a lot and DevSecOps with the continuous nature of it has really Changed a lot of thinking. Where do you see that from a security standpoint now? 

Kevin Long: Yeah, for sure. Um, I map it this way. There are some developers that like the way it was and just want to be left alone and want somebody else to handle the security piece and put it off. We’re seeing less and less of those. What we’re seeing is more and more developers that want to build things, want to see what they build in use, want it to work out and want to be able to solve the problems, the more you can make. ATO just part of what they have to build, and it’s part of their work, and they see that because of this, I get a path to production. I get to see problems solved. I get to have what I do matter. They love it. Because developers are like carpenters, right? They want to build things and see what they do used. Shelfware is the most demoralizing thing. to a developer. Amen.

Adam McNair: Yeah, and I, so that, that is encouraging, but it also I think does make sense because, you know, to your point, when it’s some other person, some other team, when you just went and built everything and you get some nebulous note back that that’s not going to work that way. And then you’re, you’re automatically irritated and then it, you’re losing time and wasting time trying to get somebody to explain to you, you know, why they think that there was an issue with it or you’re done and you’re waiting, you know, you’re waiting for security. So all of those things that I think when you’re are really. Highly technical, high achieving person. All of those things that you want to do, which is let me knock this problem out. Let me see how this works. Let me get this done. Every time you, you know, it’s like when you’re working on your house, you have to go back to Home Depot for something. It’s really frustrating because it kind of messes up your vibe of what you were doing.

Kevin Long: Yeah, it’s, it’s very much, I mean, I guess I’ve been around for a little while because, uh, in the beginning I saw, you know, hey, the most frustrating thing to a developer was a tester because it was an us versus them and they were applied at the end. Then testing more and more unit testing, more and more automation. They got brought into the fold. They’re part of it. It doesn’t matter. It doesn’t bother people so much anymore, uh, uh, or, uh, you know, I mean, security is now the same way it is. The more you make it less us and them, and it’s the cultural shift that DevOps, I mean, or the engineers, when you bring, when you bring engineers in with developers and you put them on a team, it’s not us versus them. It changes the mindset, uh, UI UX. It’s not, Oh my God, I need to move this button from here to there. It’s no, we’re as a team making something more usable to solve more problems. Security, when you loop them in, it is, it’s the big tent that everybody there is solving the problem. And the more you can make it us solving the problem instead of us versus them with problems internally. The better, the better everything happens. 

Bryon Kroger: Yeah. And, and it’s, uh, like you still have to account for the fact that, um, it’s the developer solving problems that they care about and like recognizing there are some problems they don’t care about. Like I get criticized for this sometimes, but I’m pretty honest that, uh, like a lot of developers and I think maybe most developers. It’s unrealistic to think that they’re going to care that much about security. It just is. They want to, they want to build things. And, um, you know, using the carpenter analogy, it’s like, yeah, you want quality, right? They care about quality software, but they don’t necessarily see security as an element any more than a carpenter is like worried about break ins of their house. But like the homeowner is, and so I have to figure out a way to line the carpenter’s interest with mine, or in this case, the developer’s interest with mine, and that’s, you know, they want to see like, um, like Kevin said, they want to see their work being used the way that it was intended. And, uh, so there’s, there’s kind of a twofold problem that we’re seeing, right? Like. Continuous ATU is this huge carrot. It’s like, you can get into prod faster than you ever have before. And when you go to a place like Kessel Run or Army Software Factory, Section 31, Bespin, all these places, it’s palpable. These developers are in love with this new process, even though it can be frustrating at times. It’s less frustrating, less bureaucratic and faster than what they dealt with before. And, but then you have this problem kind of twofold, I guess. One is, uh, security theater. And that could be people thinking, uh, like doing it intentionally or thinking that they’re secure. They’re like, Oh, we’re doing this continuous ATO thing. I, I do SAST, right? I got my static and my dynamic scans, like my software is good. And then it’s like, congratulations, but your S3 bucket was misconfigured, which by the way, look up the stats on like most, uh, uh, common causes of data breaches for organizations. Misconfigured S3 buckets, right? Um, And, and so those are the kinds of things that we need to catch, uh, and, and, and there’s things that can happen at the application layer to that scanners won’t necessarily catch. And, uh, so it’s, it’s just really important to make sure that we’re aligning those interests and, and figuring out a way. Um, so this is, what’s really important about the path to prod it’s, it’s twofold. One, those pipelines that will often. Talk about secure release pipelines. Um, they’re giving developers real time feedback. So that problem that you mentioned, Adam, about like, I find out six months later, somebody said, this isn’t going to work. We have to rearchitect that you get that feedback on your commit. And most of these teams are committing multiple times a day, you know, deploying multiple times a week. So always getting feedback, uh, and it’s not building up a bunch of tech debt. That then cost them a ton of rework later, um, but it also is doing another thing that people don’t like to say because we, we like err on the side of like freedom and responsibility, but like it blocks them from going to production too. If you have a critical vulnerability, you are not getting to prod. If you haven’t addressed your poem, you’re not getting to prod. And, um, The, the thing that we have to watch out for then is shadow IT. And the thing that I see that’s really undermining this right now, aside from people doing fake continuous ATO is a lot of shadow IT where people are like, I don’t need to do all that work. I already get to deploy to production on demand, right? Like, why am I going to do all that? And so you have to figure out a way to rein in shadow IT to a degree. Uh, to make this successful. It’s spoken like someone who’s never been hacked. It’s not real to people, right? It’s just not. We can complain about that, right? But it’s the reality, so we just have to figure out how to address that very real human behavior. 

Adam McNair: Yeah, I, I agree with you there. I mean, anytime you have any kind of a security conversation, uh, you know, whether it be, you know, I had a lot of conversations about CMMC when it was announced and, um, you know, all the, it could be a burden and all this stuff. And, and I always felt like, look, uh, We as a company are always terrified about getting hacked, you know, and I have, not while I worked there, but from some, some places that I have worked after I left, uh, did get, get hacked and ended up with not crazy sensitive, but customer data getting, you know, published out on, on the web that shouldn’t have been there. And, um. Anything that you can do to, to have maturity around your security program and understand that these things do happen, um, and I think a lot of, you know, like, like you say, everybody thinks it’s not going to happen to them and then they think it’s not maybe as widespread as it really is. Yes. Now, here’s a question. Is that, so, you know, you’ve talked about people doing fake CATO essentially and, uh, there’s other ways around it. If somebody wanted to implement this in an organization, is it, I’m guessing like a lot of things, it is mostly like you’ve got cultural challenges and adoption, like the, the tech’s probably fine. I mean, you have to know what you’re doing and you have to know how to orchestrate it, but is this basically just a, a culture and philosophy challenge to get this done? It 

Bryon Kroger: is a very extensive manual process when done manually. So like, I think there’s a fair degree of like, it’s really a combination of culture, process, and tech. I don’t, I don’t, couldn’t separate them out very cleanly. The hardest part is definitely the culture piece. I can go implement the processes and the tech very, very easily. Easily in a very short amount of time, um, but getting people to, to come along culturally is, is very difficult, I would say. So you’re definitely right in that, but they all three have to be done in parallel. Um, and it’s, it’s a lot of work. It’s a significant undertaking. 

Adam McNair: Yeah. And I’m imagining that the process is probably, they have to be tailored specifically for the environment, right? Like your specific systems and tools and all of that. So it’s not a pre cut playbook that you just walk in with. It has to, you’re, you’re sitting in. Tailoring everything for the particular environment. So that would be time consuming, right? 

Bryon Kroger: Uh, to, to a degree. I mean, it depends on what we mean when we say process. So by and large, the like ongoing authorization, you know, following NIST RMF, that’s fairly standardized. And so, uh, coming up with an automated or continuous approach to that is cookie cutter pretty much every time. Um, or can be. Uh, there’s, there’s multiple ways to do this too. You know, we, we’ve. done in a particular way, um, but there are others doing it different ways. Uh, but yes, the, there’s, there’s a couple of things we haven’t really talked about yet, right? You know, it’s full stack. So when we talk about doing this, where you could do it outside of a cloud environment, I think it would be really difficult. So I’m just going to default to say you’re starting with some cloud based, uh, environment, um, with self service on demand infrastructure, you’re deploying some platform layer on top of that. And then applications and data on top of that. So you’re going to have to go in and do the controls mapping for that full stack. I advocate for using commercial solutions because, um, you know, they keep them up to date, uh, and they’re the ones managing that you just have to operate them or configure and operate them, um, in your environment. Uh, but you’re going to have to do all of that work. And so you definitely want to share where you can. If somebody else has already done the controls, uh, implementation, you want to copy that, especially if it’s infrastructure as code or some, some automated way of implementing it. Uh, and then when you get up to the application layer, like, yeah, that that’s all going to be very dependent on the kinds of applications you’re deploying and the tech stacks that they’re using. Um, and that might drive some different tooling, right? If you, if you’ve got a bunch of Kotlin apps and your scanner doesn’t work for Kotlin, scanner, you’re going to have to choose a different technology than they did. So there’s some variability there, but I think by and large, it’s pretty straightforward.

Adam McNair: Okay. And then. Every customer that’s ever asked me this for a time quote, I always tell them all the reasons why it’s really challenging to do that. So I’m going to do that to you now. I know that there’s massive, you know, variability in organizations and size and all kinds of dynamics that would impact it. But, you know, if somebody is running a program office and, and, Like you say, they have a general foundation. They are, you know, they’re in a cloud environment, full stack environment, all that. Is this, is it six months of planning and six months of implementation? Is it, is it a year of just Is it overall integrated work? Is it three months until something’s ready? Notional timelines for something like this. What do you think that feels like? 

Bryon Kroger: Yeah, so if they’re willing to utilize, um, already, we’ll call them already ATOed solutions. At the infrastructure and platform layer. So they’re going to go with like AWS plus, I don’t know, pick your, pick your, uh, Red Hat OpenShift or Tanzu or Rancher for a Kubernetes layer and whatever’s deploying on top of that. If they’re willing to do that, which already have controls mapped. Um, and, and I don’t have to worry about government people or other contractors trying to develop and then. operate and maintain those solutions, then I am very confident that I can walk into a brand new organization and have a continuous ATO in less than six months. Um, if, if they’re going to try and do a DIY Kubernetes, uh, you know, it’s going to take nine, 12, maybe longer depending on how long it takes that team to build a platform. The biggest problem here is not the continuous ATO. It’s people underestimating how hard it is to build and operate platforms. Uh, and their You know, this current movement towards open source, which is great. Um, but kind of overdoing it with open source and not realizing that open source is free, like a puppy, like it comes with a lot of care and feeding. And, um, that’s often where the government folks I’m seeing get stuck. But if I have control over the tech stack, I am just super confident about coming in and having it done in, in less than six months, even with the culture. Barriers that I know I’m going to face. Gotcha. 

Adam McNair: Well, so, I mean, if somebody’s listening now, if you want to have CTO in place by October, I mean, you, you’re, you can be, you can be running it by Halloween. I mean, that’s, let’s 

Bryon Kroger: be honest. We know the contract’s going to take at least a year. 

Adam McNair: Well, there’s that there’s always that piece, right? Yeah. Um, it’s like half the time that we go to, you know, to, to hire somebody and, and, you know, a customer will say, well, you know, like how soon can they be on board and I’m like, well, look, In order for their paperwork to go through, um, I unfortunately have, there’s nothing I can do about that. And, and I don’t have how many times this has happened to you, but y’all, y’all put, try to put four people on a program at the same clearance level. And all of the, you know, three of them are already cleared. One of them is not. And there’s this weird shuffle where one person’s paperwork, it’s like they, they shot it into the sun and they sit there for six months and they still don’t have a badge. One person, it hits in like four days and then the uncleared guy gets cleared it in before the last person who was already cleared. So, so those kinds of paperwork things do, uh, you know, do take time. Um, all right. Well, the last question I think we, we had was, I mean, where do you see this, this going? Is this, is this the, the, the. big trend that where you think all, you know, DevSecOp organizations are going to end up at some point?

Bryon Kroger: Uh, definitely in the high compliance spaces.

So, and it’s not just government, right? You’re you’re seeing this, in fact, leading the way is kind of finance with, you know, Sarbanes Oxley compliance. There’s the health sector with HIPAA. A lot of times they also are dealing with NIST in some form or fashion. So anywhere where you see high compliance requirements, um, Definitely think that’s the case. Uh, but it’s interesting, you know, there, um, one, uh, the DOD, I mentioned this earlier, published a memorandum, uh, there’s, there’s like an unconfirmed rumor that a lot of what was driving that was What I mentioned earlier, if people not doing continuous ATO well, uh, and maybe creating risk instead of reducing risk, which by the way, continuous ATO and DevSecOps, when done appropriately, reduces risk, just get that out of the way. You don’t have to accept additional risks to do DevSecOps, you’re actually reducing risk for a plethora of reasons. But, um, yeah, when, when not done well, obviously it creates huge vulnerabilities or can. And so, uh, the memorandum. Uh, was, was trying to set a baseline for what needs to be done. I think they took some missteps in, in the memo, if I’m being honest. Uh, well attribute that to me, not to the podcast, but to me, I will say that. Um, but it’s V1, so I’m excited to see how they iterate from there. Um, but I think. The, the kind of overall theme from the memo is, is on point, right? We need some iteration and language and some of the specifics, but by and large, the, the four main points that they emphasize, I would encourage readers to, to go check that out, um, is, is kind of. The baseline for what we need, uh, and now we just need to figure out how to institutionalize it without ruining it. Like forcing everybody to go all the way up to the DOD CISO, um, is, is a challenge, uh, to say the least. Kessel Run probably wouldn’t exist if we had to have gone, uh, to that level. Um, so I think, um. Where we’re going to see this go in the future is, I think they will have to figure out a way to get to much more automated solutions, which means getting off of EMAS. Uh, so that’s a big thing to look out for as an industry trend. Um, you know, whether it’s getting off of EMAS or significantly evolving EMAS, one of the, one of the two, but it’s, it won’t be able to meet the needs of, Of DevOps, and I think one other possible trend that we might see is is a dual path and I would actually encourage the DoD to consider this is you don’t want to make something tailored to DevOps that then doesn’t work for legacy programs because legacy programs are still like 99 percent of the DoD, so, um, Having this kind of dual path option, uh, and having, you know, a different set of expectations is important. And with that, there is a tendency to take, uh, people’s current performance and set that as the bar, which creates a barrier to entry. So even in the memo, they talk about raising the bar and all I hear is raising the barrier, you know, raising the bar is important when you need. to set a standard. But if you take that too far, you’re just creating an unnecessary barrier. And I think in some cases where we’re looking at creating unnecessary barriers. So my caution, and I’ve given a few trends, but my caution as we go down these trends is to make sure that we’re always evaluating if we set the bar artificially high, like what’s the minimum? People don’t like to talk about minimums and security, right? It’s a tough conversation. It’s risk management, like we, we can’t make it so hard that nobody does it. Otherwise we defeated the whole purpose. And so, you know, we can’t take Kessel Run’s current state, you know, four years later, five years later, and be like, Oh, this is the bar that we’re going to set for all the new programs. Like, no, you, you probably need some sort of MVP for, for what this looks like and making sure that it’s realistic for newcomers too. So, um, yeah, that’s where I’m at with all those. 

Adam McNair: Well, I think that makes a lot of sense. I mean, I, I think anytime you look at a high maturity organization doing something complicated and you decide that you want to start doing that, that, that maturity barrier of, well, how do we start at that level? I think that’s a common, you know, trend with a lot of things. So, um, and then I was also going to bring up, it sounds like, so you have a live stream coming up. It sounds like, uh, you want to talk a little bit about that? 

Bryon Kroger: Yeah. So, uh, we’ll have Danny Holtzman on there who has. The, the first AO, um, along with Lauren, Lauren actually signed the first continuous ATO, but, uh, she did it hand in hand with Danny Holtzman. Um, he’s the AO for a lot of Air Force C2 programs, uh, and also DOD platform one. Um, and then, uh, we also have, uh, Lanye Ford. She’s, uh, she supports like AOs and SCAs at that level, the ANA side. Um, And then Angel, who was the Kessel Run Chief of Cybersecurity, now the CISO at Army Software Factory. So, pretty good panel or lineup there of folks that have implemented these on the ground. In almost every case from the ground up. So I’m excited to see where the conversation goes. I also haven’t talked to a lot of these folks in quite a while, or with Lanya, we haven’t talked much at all. So it’s going to be a fun and interesting conversation, I think. 

Adam McNair: Very cool. That sounds fantastic. We will make sure that we tune in and we will share it out on our, uh, On our LinkedIn with, uh, along with this podcast. So I, I just, you know, in, in, in, in wrapping up, I just say, Hey, thanks so much for taking the time to come on, to talk about this. We certainly, you know, value the partnership that we have with you guys. And, uh, really great to get an opportunity to, uh, To talk to you today. 

Bryon Kroger: Yeah, thanks. And don’t undersell like y’all are, are, you know, powering a lot of these, uh, continuous ATO, particularly the Securel pipelines and the tool chains behind them. So, uh, I appreciate the work you all have been doing. Um, you know, you were a customer of actually of some of my folks when they were still government, uh, and, and they were super satisfied. So, uh, I’m glad that there’s folks like you out there really pushing the ball forward on, on how to implement this as well.

Adam McNair: Absolutely. Well, uh, but great. Thanks for, uh, thanks for coming on. Kevin, thank you so much. And Victoria, thank you. Everybody, thanks for listening to the Highlight cast. Uh, we, we will have this up on LinkedIn and you can stay in touch with us also on the web, uh, highlighttech. com. Uh, thanks everybody. And we’ll talk to you on the next episode.

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.

Announcement: Broadcasting from Fairfax, Virginia, you are now tuned in to The Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Hello everybody and welcome to another episode of The Highlight Cast. Hi, I’m Adam McNair from Highlight. Appreciate everybody taking the time to tune in. We are joined by several special guests today. Uh, First off, we have both of our business unit leaders from Highlight here from Digital Government. We have Kevin Long.

Hey, Kevin, how are you? I’m great, Adam. Thanks for having me back. And excitingly, uh, happy to have, uh, our Mission Services business unit leader, Tamar how are you? 

Tamar Mintz: I am so happy to be here. 

Adam McNair: Fantastic. Yeah, this is, uh, this is exciting to be able to have, uh, both business units, uh, on the, on the highlight cast today. And, uh, our topic today is about small businesses and small business utilization. Uh, as a company, we have been a small business and are in the process of transitioning to, you know, really there’s only kind of two status for a business. You’re either small or you’re large, and we end up calling ourselves a mid size, but from a government procurement standpoint, there generally is no such thing as a mid tier business. You’re just either small or large, but so we have two of our small business partners with us today. So, uh, wanted to welcome, uh, Rish Patel. Rish, how are you? Well, I’m doing great. Excited to be here today. Thanks for the invitation. Great. And could you, uh, kind of introduce everybody to, uh, to your company, please?

Rish Patel: Sure. Yeah. Uh, my name is Rish Patel. I’m CEO of RP Professional Services. We’re a service disabled veteran owned small business and, uh, in house. a small business. Um, we support both the federal government on the mission solution side and the technology solution side. 

Adam McNair: Fantastic. Thank you. Thank you, Rish. And we are also joined by Jatinder Sehmi . Jatinder , would you like to introduce your company, please? 

Jatinder Sehmi: Yeah, sure. Thanks, Adam, for having us. And, uh, hey, everybody. My name is CEO of Fodley Consulting Group. Uh, yeah, we’re really excited to be here today. We work really well alongside Rish, and we’re also pretty much on the same trajectory. So I can just literally mimic what Rish said. We’re a small 8A business in the GoCon space and, you know, do exactly the same thing Rish does. 

Adam McNair: Yeah, well great. Well, happy to have you guys, you know, um, it is, it’s common for us to team with other companies. You know, there’s a lot of different reasons for doing that. Uh, sometimes somebody has a particular skill set, sometimes it’s just, uh, extra, extra level of effort. Um, you know, we’ve had, you know, a lot of instances where we team, but as you graduate to being a large business, the procurements actually require you to, uh, to add small businesses to the team and really focused in and tried to make sure with our partner program that we work with, you know, the same groups as much as we can. Um, and So sometimes that’s on bid. Sometimes that on existing programs. Um, I was going to ask, uh, you know, Kevin and then tomorrow. Are there, uh, specific instances where, you know, reaching out for for teaming? Um, there was there was something that you really felt it was necessary and you needed to reach out. to add to the team and kind of what your what your use case was. Why did you need to go team? 

Tamar Mintz: One of the benefits of working with the small businesses as a small business is you have the same mindset. There’s this really strong mission focus and the ability to be agile and flexible. And especially on our programs, we want to make sure that the customer is always first. And that means that you sometimes have to do things that a larger business can’t because there’s a lot of red tape. Um, I think that. The other benefit is you’re able to meet and integrate with the core members of the team. So for example, both with Jitendra and Rish, we’ve been able to establish these relationships. So I know that the work is going to get done effectively and that it’s going to be done morally. And it’s going to be done to the best of their ability. And I think that’s so important to our federal customers. It’s not just the name of the business, it’s ensuring that you’re getting the best support. So that’s my two cents, Kevin. 

Kevin Long: Yeah. Um, for sure. When, when, uh, I’m looking at, at, uh, teaming for small business, uh, you know, before, before we win the work, you know, I mean, just, you know, from a purely mercenary point of view, sometimes only a small business can bid on it. Right. And so finding a partner for that, if it’s a really juicy piece of work that we want to do, uh, working with one of our partners, that’s able to, To prime that and have us help them win is something that I look for. And then when we’re priming, also, a lot of these bids are a lot of work. And I find that small businesses often have a lot of customer knowledge. They have a willingness to pitch in and help. And, you know, many hands make light work. And like Tamar said, there’s, I mean, honestly, there’s less red tape with smalls than there are big ones. Are with larges and when you get them on the team, uh, at least the ones that we like to work with, uh, you know, they’re, they’re all in, uh, they share our, our, our ethos. They share our work ethic. They share our approach and it just, it makes it so much easier to that. You can make a lot of assumptions as you’re going forward that the things are going to happen, right? And that the work is going to happen in that. Everyone’s going to be pulling in the same direction. And so, yeah, I mean, I love, I love, I love making my job easier by working with more people. 

Adam McNair: Yeah. And that, that, that point about kind of the ease of working with the companies, um, some of that I think is, is entrepreneurial spirit of the leadership team. There’s also some just pure logistical aspects to that. Um, you know, Large businesses, a lot of times, if you have an approved purchasing system that, that is, is audited every year, you have to operate your purchasing department almost like the government does, where just because you want to go get somebody on a team, you need to demonstrate that you sent, you know, you solicited quotes from multiple companies and that you did a competitive process. So there are, when you work with the. Real giant large businesses, uh, a lot of times it almost feels like that procurement process is the same as the, you know, kind of the same rigor as the federal procurement process. So I, you know, I was gonna ask, I think there’s, you know, that logistical piece, but there’s also kind of the, the entrepreneurial mindset. So, you know, Rish, I wanted to ask you from, um, starting up your, your, your company. Okay. Was the the intent to start it out as we’re going to be really flexible and we’re going to be entrepreneurial or is that something that has evolved? Like, what? What was your core motivation? Was there a cultural? This is what I want my company culture to be. And I want us to be easy to work with. Was that was that a core part of starting the company? Or does it? Um, 

Rish Patel: that’s a great question. Um, I think, uh, I’m gonna go out on a limb and say, you have to be flexible when you’re starting a business, right? You have to have that mindset because, um, If not, you just, you just won’t survive, right? You can’t be a rigid, small business. I was gonna want to work with you. So, uh, that was, I mean, that has to be the foundation of it, but, you know, when we looked at, you know, what we want it to be, right. Um, it goes back to our company tagline, our motto, which we’re actually getting trademarked because I believe in it so much. Um, it’s, it’s people, not just resources. Right. And we apply this. This trademark, this, uh, this motto to really everything from the way we manage our people, to the interactions with our clients, to how we treat our partners and even our vendors as a small business. Right. Um, and it just goes back to treating the folks that you’re working with as, as the people that they are. Right. And our, you know, as, as a business, I mean, I think our top product is our people, right. We’re a services company. Our, our. Our widget is a person, right? That’s what we, that’s what we, uh, how we make our money. And so we want to make sure that, you know, we have a very people centric, uh, approach, right?

Adam McNair: Yeah, that certainly is. It is interesting, I think, that you, that you started there. Um, you know, I think a lot of, a lot of times when you’re starting a company, the I hear a lot of times just a either a technical idea or a customer relationship and, um, it, it, it makes sense. I think that that you had that kind of strategy because it’s certainly that’s, I think, been our experience working with your organization. Jatinder , in your business, when, when you were starting up, uh, oddly, was there a, was it just an entrepreneurial mindset? Did you, did you have, uh, an end state goal in mind? Like, what, what brought about your decision to start up a, a GovCon services organization?

Jatinder Sehmi: For me, it was just, I’m an entrepreneur at heart, so I mean, I’ve been doing this 20 years. I just truly love doing that. Whether it’s business or personal, I still feel that I have that entrepreneurial spirit where I just want to spread love and culture and stuff like that. So, getting into the GovCon space was Newer for me, they weren’t really in line with some of the other businesses I’ve built over the years. But one thing I had done a really good job of was always building fantastic culture and all those, and I wanted to kind of try to take it into the GovCon space and build my, I’m going to talk about companies primarily around culture and company culture and relationships. That was probably the determining factor of why I actually did this and then things just started evolving from there and I started meeting great people such as all you guys in this call and plenty of others. Right? Building those relationships is what keeps me alive every day. Uh, we don’t really chase the revenue side aspect. We’re a little bit different in that way. That is not in my top three of what I want out of my company. Obviously that comes along with it. Um, and the more it comes, I mean, that’s great too, but I like the culture side. I like building things. Um, I liked, you know, I would like to build a house with somebody and look back and say, Hey, look what we built. Not really, not necessarily looking at the monetary value of what it may be worth or whatever, because that’s secondary to me. Uh, so yeah, I’m, I’m happy to see where this ride takes me, but, uh, so far, uh, I’ve been blessed and, uh, You know, I mean, blessed by really good employees too. So, um, yeah, that’s it. 

Adam McNair: Yeah. And, you know, to, to, to add on to something, uh, you know, that you said, I, one of the things that we say a lot in our business development meetings is that, you know, if you, if you continue to do the right things consistently enough, that, that growth will come. You know, you can’t, I’ve always believed that you can’t chase an individual deal. And live or die by it, you know, it is a process because there’s, there’s just too many variables in, in, in any of these procurements or in any of these programs. I think we’ve all had programs where you thought there was going to be a lot of value and either an agency consolidates or a budget changes. And you can objectively step back and go like, is there anything else that I, I should have done to have that program not end early? And realistically, there’s, there’s not, you know, there’s not a lot. Um, but I also think that there are times where, you know, I’ve been a subcontractor to somebody or I’ve worked with another business where I, I felt like a lot of effort went into winning a program or delivering a program and I ended up with such a, a minor role or not really a seat at the table, um, in the overall delivery and it kind of felt like, well, you know, I, I, I just wish I could be more impactful to this program and if you’d let me, I, I’d, I’d really like to help. So I was going to ask. You know, um, you know, tomorrow and Kevin, have there been experiences that you’ve had that you’ve drawn on, you know, you both clearly have a strategy in a way that you interact with subcontractors. You know, a lot of times we write in proposals, you know, it’s, this isn’t going to be a pure prime sub relationship. We’re going to be partners and. I’ve been a part of a lot of situations where that clearly was in writing, but that was not what they meant. What they meant was, we’re going to be partners until we win, and at that point, if we need something from this guy and we can’t get it from ourselves, then maybe we’ll ask him. But otherwise, he’s not coming to meetings, he’s not going to know what’s going on, and you know, he’s just some guy with a subcontract. And I didn’t really feel like I was part of the program. Are there, are there. Specific motivations that you have or, or techniques or strategies, uh, for, for integrating, you know, a team for, for, for whether it’s winning or for delivery.

Kevin Long: Let’s assume that we’re starting from the beginning. When I, when I’m putting together a team to win work, right? Um, I’m not just going to, Add subcontractors that subcontractors, right? There is an analysis into reason why everybody is on the team, right? Either, you know, it’s customer intimacy. There’s a specific skill set. There is, uh, you know, there’s something that they bring to the team. That I look at and I go, yes, this will help me win and execute. Right. And so, yeah, I mean, when I look at bringing folks on, uh, you have conversations with the team teammates early on, it’s like, this is what I expect out of you before this, what I expect of you during this is what happens if I don’t get that. And, um, nobody gets surprised by. By how I tend to operate in, in, in execution after, after we’ve gone through teaming and having that common understanding throughout, I mean, really means it’s like when you’re a teammate, it’s like, look, I need you to hire. It’s a PMO contract. I’m going to need you subcontractor to hire. Two junior level PMs and have them ready to start. It’s like great. They can open up those job recs and start hiring. They bring them in and and then there it is. And, you know, you give them the roles and then then they’re working. They’re part of the team and you keep the conversation going. And I honestly think it’s a lot easier. Once you’re executing with folks on the ground with that, because then you really are that whole one badge thing where you have, uh, where you have conversations with the folks that are working for your subcontractor along with everybody else on on our team and because we work with partners that care about their folks, we’re talking with their headquarters. People as well to make sure that they’re getting that their staff is getting what they need as well. And it’s, it’s a snowball. Right? And so, yeah, it’s the way I work at it is take your team for a reason. You’re up front with what you need out of them. And then you work with them to make sure that everybody’s getting what they need through execution on it.

Adam McNair: Makes a lot of sense. Yeah. You know, I think that. Being up front and open about how you want to work together sounds like something that you’d get all the time, but, um, maybe I’m just jaded as having been a subcontractor to the people I’ve been a sub to, that a lot of times that doesn’t happen. So 

Kevin Long: often I find, at least with some people, Some places like earlier in my career, you’d get added to the team, A, for a logo and B for, uh, what set aside you could claim on it. And that was it. Or as some sort of quid pro quo for something that then never came to, came to fruition. And yeah, it’s, yeah, it’s frustrating. 

Tamar Mintz: Yeah. Tamara. So it’s interesting. You say Kevin quid pro quo. And the reason why is one, there’s This conversation reminded me that I had to set up a solution session with a partner for a bid. So this is a good trigger. Um, but, but to that point, I think, you know, going into these partnerships, it’s important to determine what do you want from me and what do I want from you? Like, let’s say that we’re working on a new opportunity. The question is, how is that going to equally provide us value, not only from delivery, but from a bid experience?

Experience, especially with some of the smaller businesses who haven’t gone through some of these steps before. Um, and I think that’s something that you have in the beginning to the point of having transparency, good or bad. From my perspective, let’s have the discussion, and I think having that discussion, whether or not it’s. It’s tough or fun and fuzzy is important for any relationship. I think the other thing that I try to do is play up to strengths. So by being able to establish some of these relationships, we’re really able to determine where our partners are super strong and He can’t. Capitalizing off of that. Like we want that because there’s areas that, you know, we’re not perfect at quite yet, we’re all, we’re all trying to get there yet, yet, but trying to get on that. And I think even from, you know, the partners we have on the call, Rish and his team are amazing at recruiting, uh, Jitinder and his team are also amazing at recruiting, but Jitinder, I would say from your side, you have this heart about your business that also, you know, I see in delivery on every day. And I think that both of those together are really important and add so much value to our teams. And I try to think about that when we’re looking at bids, looking at opportunities, in addition to the technical skills that you both have kind of exploiting those, um, as well. And I think from the opposite, the flip, um, having that transparency where both you and our other partners say, this is what we need from our growth trajectory. This is what we need as we want to grow. To focus on that from bid to execution across the board. So the bid process, we want to learn more about this execution. We want to see how you do a ramp up. We want to, so, you know, those are things where we both can benefit from each other. And I think that’s kind of what we look at in addition to the transparency from the beginning. So there’s no surprises that that’s a clear expectation. 

Adam McNair: There’s some really interesting points there. And one of them, I think, is that. The culture of the organizations and their motivations and alignment is a big part of determining success and working together. And, you know, the concept of culture and business, when I was working at CACI a long time ago, Jack London, who was the CEO at the time, gave all of the officers a book about company culture and the importance of culture and that businesses that had strong cultures ended up being valued more from a stock standpoint than companies that did not. And it was kind of an odd concept for me at the time because he talked about company culture. Endlessly, and I was, I mean, to be honest with everybody, I was about 50 50 split between maybe there’s something to this, or I think maybe he believes this. So he went to go find a book that supported what he always says, and then handed it out to everybody. And then when we went to the ISO, 44, 000 certification process, and you start reading through the model of ISO, 44, 000 for business relationship management. And collaboration solidly 30 percent of what it talks about is the alignment of the culture of the organization that you’re going to work with. And I, I found that really interesting because now it was cultural fit was becoming an ISO audit topic to say, like, are we really checking for this now from a client standpoint? I don’t think we have had to think that much about that because if you’re in a true commercial business, you might end up doing business with some people that you don’t like how they operate, and you’d have to make that decision. The federal government has very rigorous rules for how they operate, so that kind of level sets it on that side, but from a partner standpoint, the interesting thing about 44, 000 was it actually said in paper to me We’ve gone off and decided on best practices for how to work together and you officially need to analyze the culture and the values of a company you’re going to work with to decide if you should be working with them or not. And it’s interesting because, you know, we, we didn’t specifically, Uh, we have some teaming analysis that we do before we work with a company, but it comes out, I feel like, in this conversation, that as we’re talking about, as we’re talking about RP, as we’re talking about Audley, um, that there’s a lot of cultural alignment with, you know, you guys want to do good work, and you want to be good companies, and you want to take care of your people, and, uh, you know, Rish’s slogan, Jitendra, your motivation, it sounds like a lot of that is, really kind of aligned with what we’ve been talking about. So I was curious, um, you know, if, if either of you would have some thoughts about what ways do you go about vetting or thinking about who you’re going to work with? Um, you know, when you’re gonna, you know, obviously we’re, we’re in an existing relationship, but, you know, maybe when we started working together, what were the, the things that made you decide, yeah, I’m gonna, I’m gonna work with this organization? Um, if either of you wants to, it has some thoughts on that and wants to go first. 

Jatinder Sehmi: A lot of the things and a lot of the way I run my business and businesses is very unorthodox. So this question might, I mean, this answer might kind of be weird, but like I’ve, you know, always stated, everything was about culture for me. People, uh, I, I stay in my lane when it comes to knowing what I’m good at. I do not veer off into anything. I don’t know. And relationships I know very well, people I know, I can read people very well. So to answer your question, I do it merely off of. a personality standpoint on if I can trust this person right now, I know. And typically I’m right. Um, and that’s just how I kind of then start digging into, yeah, this, this will work because Your initial conversation with somebody, sometimes you can’t really get a feeling of who the person is and stuff because it’s like a, you know, first impression. The second time around, you can start feeling them out a little more and there’s always going to be triggers that you start questioning yourself and when those triggers start happening in your mind, always trust your instinct. Right? Uh, and say, I, I don’t like where this is going, or I’m not sure this is going to be a fit, or I’m not sure what’s going to happen. My company and my people are going to be happy working with this person. Uh, and that’s kind of how I start the process. And then obviously I go to my team and I start asking them, Hey, I want you guys to vet them out too, and make sure that you guys can work with them. I like them. I like that person as a person. And I also like them as a cultural standpoint of where their company is. I want to make sure you guys can get along with them. And if they say we’re not sure, I always take their side and say, that’s cool. That’s a decision you made. Let’s go with it. But, uh, I always do it based solely off of personality of the people.

Adam McNair: Well, and I, I’ll tell you, I think there. I do. I agree with you. I think that makes a lot of sense. I will tell you one of the reasons I’m at highlight is, you know, several years ago, a long time ago. Now, frankly, I had a program that was being re competed that I was precluded because of a subcontract agreement. I wasn’t allowed to bid on. I wasn’t allowed to be on the incumbent team. I wasn’t allowed to bid with anybody. And, uh, it was because the company did kind of an unethical thing and slipped something into a contract mod where now, I wasn’t allowed to be on, I wasn’t going to be on their team, but I wasn’t allowed to be on anybody’s team. And when I talked to Highlight about it a long time ago, a decade ago, I said, look, here’s what I know about this program. I’m actually not allowed to bid on it. But if I can introduce you to some of these people and if you end up winning and you wanted to sub me, you know, my people back, I’d love to see that happen.

With nothing in writing and no negotiation and no anything, Highlight won that program and called me up the next day and said, hey, we won. We can get you subcontract for your people. There was no obligation. There was no anything there. There was an opportunity to probably make, you know, I don’t know, a decent amount of additional profit, especially for the size of the company at the time. But there was probably never, never a thought with anybody. In in the corporation at that time that that’s something that they would do. Um, so I think that let somebody show you who they are. And if if you if you figure that out, okay, like, yeah, you know, and I agree with you because there’s making your own problems. Is a real bad thing. You know, there’s enough challenges with a program with the logistics of things with I got to get these people through a security process. When can they start and every transition that I’ve ever done. You know, I always tell everybody. Look, whether the contract says it’s 30 days or 90 days or whatever, it’s not. It’s, it’s at least six months of trying to get this thing up and stable and, you know, we’d all like it to go perfectly, but somebody’s clearance isn’t going to go through. Somebody who was an incumbent is going to say they’re going to work on your team and they’re going to be dependable and you’re going to find out that they applied for other jobs during the procurement and they’re going to quit in the third week. Stuff’s going to happen. So let’s not us being in the way, making our own problems. Um, and so I, I think the personal side of that certainly makes a lot of a lot of sense. Now, Rish on, on your side from a teaming, you know, selection standpoint, is it deeply personal? Is it a combination of personal and other things? How do you, how do you do that? 

Rish Patel: I think it always starts off personal, right? Um, so my experience is a little bit different than Jitendra’s. I’ve been in this business for, for a while, right? And now I’ve, I’ve. fairly well networked. Just using the highlight example, I mean, Tamar and I had known each other through Young FCA and we served on the same Young FCA board. He was actually my secretary, um, back then. Um, and we had worked together in this, you know, non necessarily work environment. So we’ve known each other for a while. And so when the first time we had this opportunity to kind of work together on something in a professional setting, it was, it was very easy because I’ve known Tamar for many years and, and I, I knew who he was. You know what she was about and, and, you know, I knew we could work together. Um, and that’s just the beginning though, right? That, that gets the foot in the door, um, and, you know, highlights one of our, our large, not one of it is our largest partner. You guys are our mentors in the men, you know, SBA mentor prodigy program, right? Um, we. We have a really strong bond here, and that isn’t because of Tamar, right? That’s because of the rest of you folks from Highlight on this call, right? I mean, I think three out of probably the six or seven leadership folks that are on the call exemplify the same exact philosophies when it comes to partnering, um, as, as, you know, my Long time contact to Martin, right? And so that’s sort of, you know, it starts with this personal relationship, right? We might’ve met at a networking event or known each other for years or a friend of a friend or whatever it may be, right? That’s how you, you know, that’s how we start working with the company. Um, but then it’s up to the rest of that organization to say, yeah, this is a company that we want to continue to work with, right? And that we’re going to have a, have a, have a great relationship with. And we’ve had plenty of examples where, uh, You know, the person that brought us in and got us in the team on the team, but it was great. And then that person leaves and all of a sudden our entire relationship leaves with them, right? We’re in fact dealing with something right now where we teamed with someone that individual left the company, won the program, and now we’re going through the subcontract process. We have internally or we had a discussion that we might not even sign a sub K with them because we don’t think we can actually work together with them on fulfilling this program. Um, and that’s, you know, we’d rather stick with partners where we have similar, uh, cultures. 

Adam McNair: Well, there’s something that I think is an important concept there. Um, that consistency. Is a big part of having a relationship. So you know what to expect. And if it is part of the corporate culture that that hopefully means that if you talk to Kevin, if you talk to tomorrow, if you talk to somebody that works for one of them, if you talk to somebody in a recruiting organization that the culture is going to tie the values together. And so you’re going to have. You know, if you talk to somebody that works for Tamar, they’re probably going to make decisions and offer things that, you know, the words might be different, but it’s the same underpinning of, oh, we said we were going to have you fill these seven positions and go ahead and fill them and, and you’re going to get the same end result, whoever that you end up being. I, something that it made me think of is, you know, from a, from a prime standpoint, from a working with a small business standpoint. And even if we’re a sub to you guys at the small business side, you know, the consistency is because you are the owners of the companies. It’s complete consistency for us. You know, if we’re going to call RP, it, Rish is going to be there. If we’re going to call Audley, Jitendra is going to be there. And even if we’re talking to somebody that works for you and they might be new and whatever, but the kind of overarching relationship and, uh, and knowing how the business operates, it’s always, you know, You guys, cause you, it’s your business. And when you work with, with larger organizations at some point where you don’t have that entry through the CEO or the owner, that scenario, Rich, that you’re talking about where. All of a sudden, all the people that remember anything that was ever said to you seem like they are all in different rooms, different buildings. They don’t work there anymore. It gets moved around. That’s a significant challenge. And because I was asking myself as we got ready to do this, this, this, Podcast today. So, you know, well, what as a, you know, we’re talking about small business utilization and how we use small businesses. And so there’s certainly some topics there. But, you know, what is it about us? Highlight? You know, we’re a large company now, but we’re not a 15 billion dollar company where. Uh, you know, kind of just not small anymore. And so what does that mean? And I do think that consistency is important. And so maybe, um, you know, the evolution of commitment to culture is that As you guys grow your businesses, and as Highlight has grown, there’s still consistency. You know, Kevin and Tamar have been running, you know, their respective business units here for a long time. As we’ve grown, they’ve certainly added people, but those people that they’ve added, you know, there’s consistency there. Our contracts team, there’s consistency. Our recruiting team, there’s consistency. It, I think is a real benefit for, for any teaming relationship when you, not only do you know where the culture is now, but you, you see consistency over time. And, um, I think small businesses, there’s that consistency of, of the ownership. And I think, um, it’s, it’s a benefit to us that we’ve been able to, to have that kind of consistency from, um, You know, from from our company as well. Um, you know, I get the other, you know, kind of if there are other small businesses that are listening to this that they say, look, I know you guys have said a lot about, um, you know, you have some trusted relationships, you know, you’ve, you’ve worked with highlight. Um, but if somebody is starting their small business and they, they don’t have a go to partner. At that stage of their business, whatever size their small business is, um, either you have any advice for somebody on what’s, what’s the way that I should go about whether it’s developing that network or how do I go find the companies that I should be working with? Do you have any advice based on your experience with your organizations?

Rish Patel: Um, I mean, my advice would be to start building that network, right? Build that network of folks that you can, you can work with, um, you know, and then it’s like that, uh, you know, um, that’s, that’s the story about kissing all the frogs, right? The fairytale, right? You, you, you, you’re gonna have to kiss the frogs, but you have to go into every one of these opportunities. Every one of these deals with the right mindset, that it’s going to be successful, That they are going to do what they’re telling you and you have to do what you’re telling them, right? You have to go in there expecting it to succeed. And just know that sometimes it doesn’t. And if you become cynical, especially early on or even at our stage, right, that some of these deals won’t work, and you treat them that way initially, then they definitely won’t work, right? Um, and as, you know, I, my team always jokes, jokes with me because they, they literally say that I’ve never, I’ve seen a deal that I don’t like, like, anytime there’s an opportunity where it’s like, yes, this is great. This is the best thing since sliced bread. Right. Um, and that’s sort of how you have to approach it, right? Because you’re going to have to work with as many companies, as many partners as possible initially. Right. And not all of them are going to be great. And that’s okay because you still learn something from it. Right. That, I mean, it’s all about, like, there’s no. Small business that just has this media or media or rise without having some challenges. Right. And because without that, you can’t continue to grow. You haven’t learned any lessons. Um, and so, you know, if you if you if you start every conversation, every every teaming arrangement, With wanting to, to be, for it to be successful, then, uh, then that’s really the only way you’re going to end up with a few successful ones. 

Adam McNair: You know, I think we’ve, we’ve all been through a lot of teaming relationships, um, you know, over the years and, and the way, you know, some, some bids work out, some bids don’t, some relationships work out, some, some don’t. Um, you know, one of the things that I always encourage a lot of our capture teams that if we bid something and we don’t win. Um, you know, it feels like this zero sum, like we’ve lost and it’s over and it was useless and we wasted all this time. And I, honestly, will usually bring up, there’s value that came from this that isn’t gonna be lost. Um, you know, there’s, there’s either intellectual capital that we built doing this, or there are relationships, or, you know, there’s, there’s something that came from this that is going to be, you know, beneficial. At the time, I lost a gigantic deal. Uh, one time that at the time was the biggest thing I’d ever bid and it had been a lot of work and, you know, I, I said some of those things and we ended up a few months later using some of the same, uh, methodology content. to win a big deal at, uh, PBGC, Pension Benefit Guarantee Corporation. And there were, you know, engagements with partners. Um, you know, one of the, uh, the BPAs that, that we won, um, I got protested so it’s not There’s still no task orders out on it, but we want to BPA at GSA. But some of the partners we have on that, there were some DEA bids that we put in that were unsuccessful, but some of the partners that ended up being on that came from those deals. And, you know, so I, I do think that staking out those relationships, having some of those experiences. And then just being open to seeing where it can go from there, uh, can lead to kind of some long term successes and some long term value. Tamara, you had a point?

Tamar Mintz: Yeah, so one of the things that I think, you know, highlight as we grew, I think we were honest with our partners, our large business, mid sized companies. And I think something that we even do now, um, is You know, our integrity in our, our word are so important that we make sure in any type of arrangement that we have, we articulate what we can deliver. And I think that’s also a success factor for any small business looking to team and find partners. In addition to kissing frogs, we do that too. Um, but making sure that when we, when we’re having the discussion, it’s, it’s a, if this isn’t the right one, let’s find another one that does make sense because if we’re not adding value as a partner, then we shouldn’t be on your team. And I say that to almost every business that I talk to when we’re building a new relationship, or we’re looking at a specific opportunity. Yeah, I want to be on every winning team, but I’m not helping you from a value perspective, or just doesn’t make sense, then let’s find 1 that does. And I think having that open and ominous conversation, um, builds a dynamic and a relationship where they know that if you are joining a team or trying to work together, There’s a reason. And I think that can help guide and grow your business more than anything else, because it’s showing that you, uh, do what you say and say what you mean. Um, so many companies don’t. And, um, that might not always be an easy conversation. I know that I’ve had many topics with companies, um, eight A’s, uh, small businesses who come to us and say about your work, Like, are you teamed and, you know, they try to flip business. And I think if I could give any advice, it’s come and explain the value for that. Because for a lot of it, I don’t, I’m not trying to be mean when I say this isn’t going to be a bit, this isn’t going to work, but, um, strategically there, there should be a mutual benefit and gain and just asking to flip work isn’t necessarily there. So, um, saying not this one, but understand that there’s another one Is really good that we can work on is also really important. So I just wanted to add that tidbit because, um, I think it’s really helped grow the relationships that I have had and I currently have and hope to expand on is setting those expectations with our partners and making sure that, you know, From both sides, they know that it’s going to be mutually beneficial when we do find one, because we’re going to win it.

Adam McNair: I think that’s a very, very good point. And I, I think that kind of approach is, is a real, really good one to use. Um, you know, and as I sit in here thinking about, you know, our engagements specifically with, Jitender’s companies, you know, we’ve had situations where, you know, you, you, you end up calling Rish 7 o’clock on a Friday and say, Hey, there’s going to be a whole bunch of positions. We’re going to need, you know, help staffing. I’m not sure exactly what the labor categories are going to be necessarily. And we’re not going to know rates for a little while. But if you can get started, it would really be helpful. You know, um, the 1 of the 1st, uh, kind of joint marketing calls that Jitender and I went on, uh, we were talking to, uh, to HRSA about, um, Honestly, it was kind of an interesting skills mix of, like, we think we need some records management, and we think we need some enterprise architecture, and we think we need some 508 compliance services, and, you know, one of the things we asked during this, why is all this in one group? It’s like, well, because I’m responsible for all that. It’s like, oh, okay. Okay, so that’s why the scope is what it is, because this is all the stuff you’re responsible for. And as we were putting together an approach for that, we had the conversation of, well, who’s going to have what staff on the program, and we don’t know what the rates are. And I mean, this wasn’t in writing. This was basically a handshake where we said, We’ll just have to figure it out. We, I don’t, I don’t know how we’re going to divide this or who’s going to find what people or who it makes sense to have what people. We’ll just figure it out. And, you know, we, we’ve successfully, uh, you know, work together with both of your organizations on, on big deals, on small deals, on, on complicated deals, on confusing ones. Um, so just what I wanted to wrap, wrap up with is, um, You know, there’s certainly if there are other companies that are that are out there that are looking for a real go to partners. Um, you know, you guys certainly have had a tremendous amount of value for us. And as much as we would like to think that. We all only ever work together and talk together and hang out together. Uh, certainly we want to, uh, you know, put, put a good word in for you. That if there are other people that, uh, they, they, they need a small business prime, they need an eight, eight prime. They, uh, they need a, an eight day. Uh, on their, on their team as a sub that they, uh, that, you know, they certainly would, would think of you guys. Um, what’s the best way, uh, to find you guys? 

Rish Patel: We, our website is, uh, www rp pro services.com. Um, there’s my, my beautiful mug is on there under the about US Leadership team, and I think you can connect with me on LinkedIn and connect with us, uh, there, or you can just find me on LinkedIn. Rich Patel. Um, CEO of RP Professional Services. Yeah. Fantastic. Jitinder, how about you guys? 

Jatinder Sehmi: Yeah, we’re going to be the same, right? Social media is always great. LinkedIn, you can always look me up. Um, I make sure that everybody has my phone number, you know, every staff member. So I would actually just give it out now. 301 366 3368. Anyone can call me anytime, 24 hours a day. Um, I’ve always been that way. Our website is www. theoddlygroup. com. Um, yeah, I’m sure you’ll find us somewhere. Fantastic. 

Adam McNair: Uh, that’s that’s great. Appreciate. Um, so really do sincerely appreciate, you know, the the experience we’ve had working with both of your organizations. Um, you know, the we’ve done a lot of a lot of good work together and there’s. Um, you know, I think one of the cultural aspects of us, and I know Kevin and Tamar share this, is we really just want to do good work, you know, and so, um, we’ve, we’ve definitely had programs where it’s really hard and you realize that Part of it is just that your partners and you, you know, you, you’re having internal problems working together and, uh, and we don’t have that when we work with you guys. So we really appreciate that. And, uh, you know, glad that you would take the time to chat with this, uh, today. So, uh, thanks everybody. Uh, thanks Kevin and Tamar for, for being part of the podcast today. Uh, Rish and Jitender, thank you for joining. Uh, Victoria Robinson, thank you for editing this up. And, um, And coordinating the whole process. So, uh, thank you very much for listening to another episode of the Highlight Cast. Uh, you can follow us on LinkedIn or highlighttech. com on the web. Uh, and, uh, stay tuned. The next episode, we’re going to be talking about emerging technology. So thank you. Uh, thank you very much, everybody. Have a, uh, have a great rest of your day.

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.

Announcement: Broadcasting from Fairfax, Virginia, you are now tuned in to The Highlight Cast with your hosts Adam McNair and Kevin Long. 

Adam McNair: Welcome To another episode of The Highlight Cast. Hi, I’m Adam McNair, the president COO of Highlight, joined again by Kevin Long. Hey, Kevin, how are you? Hey, Adam, doing well. Happy New Year. Happy New Year. Also joined by Emily Scantleberry, who leads, um, our portfolio development here at Highlight. Hey, Emily, how are you?

Hey, Adam. Hey, team. Doing well. Great. So, excited to be here. This is our first Highlight cast of the New Year, and we are joined by, um, Uh, two guests who are partners of ours and excited to have them on the, uh, on the podcast today. Uh, give them an opportunity to introduce themselves and talk a little bit about their organizations.

Uh, first is Matt Nelson. Matt, hey, how are you? 

Matt Nelson: Adam thanks for having me, man. I’m doing great. Happy New Year. 

Adam McNair: Yeah, thank you. Happy New 

Matt Nelson: Year. Yeah, likewise. So, yeah, my name is Matt. I’m the Chief Operating Officer of a digital transformation firm called Rise8. We’re about three, we’re about two years old now, and we specialize in, you know, doing digital transformations for organizations with impact. So, excited to be here. 

Adam McNair: Awesome. Very cool. Glad to have you. And, uh, and also good to talk, uh, again to, uh, Jay Samson. Jay, how you doing, man? 

Jay Sampson: Doing well, Adam. How are you, bro? 

Adam McNair: Good, man. 

Jay Sampson: Awesome. So, uh, Jay Sampson here, uh, Account Director for Defense and Intelligence Sales with WeWork, uh, the famed and infamous real estate organization. I’ve been brought on board here to kind of lead us into the DOD space and find ways to help the environment, uh, lead different efforts with different organizations and programs. 

Adam McNair: Very cool. Thank you. Um, so what we were going to talk about today are software factories. And now we’ve done a couple episodes recently. DevSecOps and the new ways of, of building software. But I, I think we’re in one of those spots where as technology evolves, as methodologies evolve, a lot of times things get, you know, Pinned with a moniker that doesn’t necessarily describe it and we’ve talked a lot about. Oh, well, you’re doing DevSecOps. It’s software factory and that’s not always necessarily, you know, the case and we started to get into what I would say real software factory work as we sort of working together. Um, with, with the Air Force a couple of years ago. And I mean, for me, the big difference between software factory and someplace that’s doing DevSecOps, you can build your own one application inside of your environment and have continuous integration and continuous deployment. And it doesn’t mean that you’re a software factory. I mean, software factory for me has a lot of connotation of we’re going to have a team that builds. A large variety of applications for an organization is almost a shared service type, um, type setup. That’s kind of how I, I view it. What things, uh, you know, maybe, uh, you know, Matt, if you had any thoughts about what do you see as the, the big, Difference between a software factory and just somebody that’s following a methodology that might have continuous integration Uh that they’re calling devops 

Matt Nelson: Yeah, so You know, i’m a 15 year acquisition officer I still you know, i’m in the reserves with this at a software factory in montgomery alabama called bespin And, you know, in my early parts of my career, we would get source code delivered to us via a CD in the mail and, you know, a couple of years ago, back like 2017, 2016 timeframe, the government really got the idea. Uh, to start in sourcing software development where their source code was going to be behind their firewall inside their own dev environment supported with their own development tools and all of those, you know, things that come around having a productive and efficient software value stream and, you know, that in sourcing drove the need. To create this moniker, I guess you could call it of a software factory where it’s, you know, the software that you’re building is you’re building it for your own end users and it’s being built, not delivered to you over the fence and all of the. You know, all of the, the things that go around that value stream are a part of that factory. So I think it kind of like, you know, they’re just like, there’s a value stream and, you know, building widgets, there’s a value stream and building software. So I think that’s kind of how the software factory stuck. So at least in my lens of the world, Software factories, almost synonymous with insourcing, uh, software development inside of your organization. In this case, federal government slash DoD. 

Adam McNair: Gotcha. Now, Jay, I know you worked embedded with the software factory for a, uh, A very long time, you know, Matt talked about some of the acquisition challenges that led to, um, you know, let’s not just get source code and a disk and then hope that it works from your vantage point. You were really there kind of from the inception of a software factory. What what kinds of reasons were compelling for for that organization to convert into a software factory? 

Jay Sampson: Uh, not for sure. So looking at Kessel Run when it started off, um, really with about 60, 60 desks, you could see how they were trying to put together and formalize how they’re going to approach this. I think the first lab was called the Kessel Run experimentation lab, right? It was literally an experiment. It was no guarantee that it would progress and be the amazing organization that it is today. But when you’re looking at. The different components that came together, the different organizations that jailed and started to create some of these amazing outputs, it forced the need for them to grow and to expand and really operationalize. And I think the 1st challenges that they, and it’s a continuous challenge that they kind of ran into. And solving is the scale. And that’s kind of what makes this, uh, a software factory in the most truest sense from my, from my vantage point, is the fact that you could have all of these different organizations, all of these different, uh, pain points, but all falling, falling under the same methodology. Um, so yeah, from my perspective, that’s, that’s kind of what that, that leads to. 

Adam McNair: And, you know, as we’ve been talking about this, you know, one of the, the, the first things that pops into my head when I think about, you know, Going to a software factory type environment is almost selfishly solving one of my own problems. That is, we’re a contractor trying to deliver services in one of these environments. I’ve been in environments before where you don’t really have access to the test team. You don’t have access to a unified set of tools. You find out that you were working on an application and then you go look at Either the plugins or the code that another organization has used in a associated module and you realize that whatever notional target architecture there was, there wasn’t a unified way to bring that all together. There wasn’t a unified way to share code. I’ve certainly worked in a lot of organizations where. When it came time for testing, you were copying something into a, you know, whether, whether it’s it’s an FTP site or it’s a digital transfer, or it’s a cd, you’re basically putting it in a box and giving it to somebody else and there’s not really, yeah, there’s not really end-to-end traceability. When you get into the idea that a software factory is unified by a tool chain, I mean, Kevin, I know you’ve. Work in a lot of different software environments, certainly from the everybody just install whatever you think you should probably use to build this all the way down to I’d say very mature locked in environments where there’s there’s a unified process. We’ve. Certainly supported tool chains, you know, now for the Air Force and for the Army. Um, are there specific benefits that you’ve seen or how did you see that evolution from going from kind of heterogeneous development into a unified tool chain? 

Kevin Long: Oh yeah, for sure. Um, especially around the way Matt was describing with the insourcing and, and, you know, having, having the customer eating their own dog food, right? It’s the, they’re doing it for themselves. When you’re Doing multiple pieces of software or, or, or features around something with a, with a lot of different teams. And like, like Jay was saying, you know, you think big, you start small and you scale, right? Uh, it is, uh, you have to have a tool chain that gets really mature really quick because you’re going to have agile teams that Want, you know, uh, are developing with different languages and want IDs for it, that want plugins that, that fit it and have all of these things that really enable all of these developers, testers, DevOps engineers to, to do their work that you quickly can, well, you quickly find that, uh, there’s a lot of fungible software out there. You know, there’s 27 different IDEs, you know, and you know, are you going to work in Eclipse? Are you going to work in with JetBrains on in PyCharm? Are you going to work in Visual Studio? And you can have all these different things and your, your ecosystem can get really crowded. Really quickly, and then it’s hard to purchase, hard to license, hard to hard to manage and hard to get your software developers into a rhythm where they’re in an ecosystem that feels cohesive and allow them to deliver, I mean, quickly. I mean, when I think about, uh, Software factories, I think about, you know, getting what’s needed out as quickly as possible, right? I mean, with all of these other things on that, it’s, you know, if they’re not operating at, at least as fast as, as, uh, the commercial, you know, software, Folks, then, you know, really, I think all of the software factories I’ve talked to you think that they’re doing something wrong, right? So they’re moving fast. And so they need to have, uh, they need to have a space and a tool chain and everything that is cohesive and helps them move forward easily. 

Adam McNair: So I hear a lot about efficiency. Right, so a lot of the things that you’re talking about are efficiency and some of the early efficiency things in software development were related to, you know, cross training and trying to have a team that was multifunctional so that you got away from, this is my one person that manages the accounting. application. This is my one person that manages the supply application, uh, because I’ve certainly I’ve managed teams before where you’d walk into a, into a room and you have 35 developers and you see three of them that are doing kind of forward looking planning. And then you got a half a dozen people over on the other side of the room that are clearly stressed out trying to get something done. And you realize that just Because of the way the requirements are driving, because of the way the sprints are going, you got some people that are super busy, some people that they’re doing things, but they’re clearly doing things that are probably not going to be due for quite a while. And the reason is that either because of Skill set or technology or procurement or whatever, you’ve got people that they’re not really all able to pull the same rope in the same direction. So there’s, there’s some efficiency from the software factory perspective. Certainly that I’m hearing that you’ve now got a unified team that can all work on requirements as they come down. But, you know, Matt, as we were getting started, you were talking about something that I honestly had not really thought about, which is the fact that, uh, Procurement complexity isn’t just services, the procurement complexity that if you’re going to say, okay, I don’t want to just get a disk anymore. I’m going to in source this and be involved in it. And I’m going to have a contract for development. It seems like there’s a lot of efficiency from the. Very practical innovation of a managed tool chain and how you handle that procurement. Could you talk a little bit about how that innovation of software factory has improved the procurement experience for trying to manage tools in an environment like this?

Matt Nelson: Yeah, absolutely. So, you know, as Jay was mentioning the customer on experimentation lab, it was truly an experiment, right? We got out there and we wanted to try to figure out how to build software and not in a functional waterfall type way, but in a modern balance team approach where a single team owns the delivery of their product and really practice the devil. SecOps practices that are now starting to become just a commonplace. Um, but to do that, one of the biggest bottlenecks, one of the biggest constraints to be able to pull that off and have these developers be productive was being able to give them the tools that they needed in an efficient time. And, you know, I remember when we didn’t have a tool chain contractor, somebody actually managing the tool chain. And I defined the tool chain as. All the tools that go into, uh, doing CICD and release engineering of your product, also the actual cloud infrastructure, and even the, the tools associated with, uh, collaboration and prototyping and whiteboarding and all of the things. Oh, yeah. So all of that is built in. At the end of the day, you do that for developer and team productivity. Um, but the acquisition team didn’t have that level of productivity. They were very bottlenecked because every single one of those tools, you know, would require a brand name justification, a sole source justification, just depending on how you’re going to acquire it. And then it just got super gnarly when you’re talking. 30, 40 different tools in this heterogeneous ecosystem that gets stood up because, uh, each one of these tools has its own unique niche. So flipping that on its head, the acquisition model of a tool chain as a service, it’s now a team that’s managing all of those licenses for you. You don’t need to do. a brand name justification because the requirement of this team is to provide you with the most efficient and effective tools to do your mission. That really just created, you know, eliminated that bottleneck of tools and all the different onesie twosie purchases that the acquisition shop was going to have and really created an efficient way of, you know, Hey, the best, if we’re going to insource, we gotta, we gotta organize and equip these folks so they can be productive and you can’t do that in a Wednesday and Tuesday manner. So it’s, it’s just really cool that to see that like tool chain concept go away from the, um, you know, just the brand name justification headache that we had at the very beginning. 

Adam McNair: And I think there’s a lot of good points there. And you know, some of the, some of the things that that kind of rings a bell on is, you know, the, the way that we go about selecting tools, just because it’s been, uh, essentially included in, in a contract for us, we’re still following, you know, a FAR compliant evaluation. Uh, we actually use a CMMI. decision analysis process and assigned rating, you know, criteria and then how we would rank them and so forth. Uh, but it’s certainly a lot of value for the government to know that they’ve got an accepted approach for how we’re going to do that. You know, one of the things that has been an interesting, uh, lesson for me is we’ve, You know, both, you know, Kessel run is the work of the army, uh, also with, with, with Homeland Security, some of these tools, you know, there’s an evolution of tools and tools will come up and, you know, you have a developer that will want to want to use a new tool, the technical merit of that tool and. The procurement aspect of that tool are, can really be different. You know, if you’re going to go to a, a giant tier one software company and you’re going to try to go and buy a tool from Microsoft to Salesforce, et cetera, they’ve got all kinds of GSA pricing. They’ve got a whole team of people that do nothing but sell to the government. We’ve had a lot of instances where we’ve gone to companies that They’ve never sold to the government before they they’ve been set up in some cases where they just want you to buy through their website you tell them like we need to have invoices like just that all of that kind of administrative churn that that creates. It doesn’t sound all that exciting, but when you multiply that times 50 or 100 and have it on an annual basis and you want to evaluate a tool and sometimes evaluating a tool is understanding what the, the licensing requirements or logistics would be. There is a lot to that. We’ve also had instances where, you know, you’re tracing down a tool and you think that it might have some technical merit and you have to do a security assessment that you’re really, that has to play into 

Kevin Long: it. And we’ve saved that tool was, was owned by a company that literally had the president trained by the KGB. Let’s put that in our, in our tool chain. 

Adam McNair: Yeah. And that’s all kind of keeping the noise out of the government acquisition shop. So that when, when we’re going forward with, with those kinds of solutions that they can buy once, and then we can handle some of the details. So I think that. That makes a lot of, a lot of sense from a, um, you know, from a tool chain standpoint. Um, what are you guys thoughts on, is, is a tool chain really a set architecture for a long time, or from a tool chain as a service perspective, what rate of change do you see in tool chains? I mean, are, are we, are we locked in for a year? Are we locked in five years, five years? Or is it a, uh, a living ecosystem? Uh, does anybody have any thoughts on what, what that would look like? 

Jay Sampson: I just want to piggyback off of, off of what we were just saying. So I’m, I’m, I come from an operational standpoint, right? Like, so being on the ground and seeing how these decisions impact the people who need to implement it. And when we’re talking about a software factory for a government organization, it’s very hard to train government people to change. The way that they approach something to get a methodology stood up. Um, and we keep using this and I think it makes the most sense in the world because I think this is just the best use case, but Kessel Run bringing in things like psychological safety and all these other aspects, it’s hard to do. It is extremely hard to do. And so you need to be able to focus on said mission set. The beauty of having that tool chain and to kind of touch on the question that you’re asking it has to fit Uh the working style of said organization, right? So platform one council run kobe austin They have different mission sets. They operate a bit differently. So your tool chain should should uh kind of acquiesce to whatever the demand is. But the beautiful part about it is, is when you have that team that’s dedicated to all of those different aspects, whether it’s vetting out that new tool chain, procuring it, making sure that it meets all the security standards, integrating it, disseminating it, managing it, reporting that to the, um, to the proper government stakeholders. That’s hard in itself, right? So when you have that tasked out, Uh, to a, to an organization, uh, or to a company instead of, uh, within an organization. Well, now you’re just freeing up the ability to do what? Create amazing apps, uh, that benefit the warfighter. It’s a seamless, it’s a seamless activity. So I love to see more people kind of adopting that mentality. I love to kind of see the way people get inventive with it. Um, I love the way, um, kind of Matt kind of broke that down and instituted that. Uh, the fact that that didn’t exist prior to, I mean, uh, a contract for each app. God, it just sounds. So tedious. And I don’t know how you can manage that. Right. So I love that the breaking of that bureaucracy and the, and the change in the new norm.

Kevin Long: Yeah. I mean, watching our contracts team go through that where, I mean, literally we have one contract with every tool in the tool chain that we do for each of our tool chain customers. Now, knowing just the standard commercial. Overhead in the back and forth with that add on top of that. I mean, sole source justification going to, uh, uh, a contracting officer that isn’t technical like, like Matt is and say, no, no, no. Trust me. When I say feature a is absolutely necessary, even though B through Z is the same as over here without, without feature a does not matter. Right. It’s like, like we’ve invested everything on Mac books, but you know, This software only runs on Windows. It’s like, okay, so here’s the, here’s the Mac version of it. I mean, having helped write SSJs, uh, for other customers, I can’t imagine having to do that with the level of specificity and speed that, that tool chain requires, uh, on that. To be able to get it in and not absolutely bring everything to a grinding halt. Now, I hadn’t, I’m surprised I hadn’t really thought about it in those, in those terms before, uh, being as involved with, with some of these tool chains as I am. But for sure, I mean, that’s, that is a mighty value proposition. 

Adam McNair: So let me ask a question. So if I’m a government customer and I’ve got an organization where I’m currently living with exactly what you, you fellows have been talking about, which is I have an active 34 different purchase orders that cover, you know, 20 different tools. And some, I’ve had to execute new purchase orders because I had to have some, some growth in user count. And depending on how things are licensed, I’ve got all kinds of, I’m just in the middle of all of that. How do I, how do I get started from the standpoint of saying, okay, I, I want somebody to handle this for me. I want to buy Toolchain as a service. Do I, do I, do I try to wait till all these agreements run out? Do I, how do I do that? 

Matt Nelson: I think the first thing you got to do is You know, if you’re not the contracting officer and you’re going to the contracting officer to say, and you hit the nail on the head, it’s tool chain as a service, most of the time, these are supply contracts, you know, 10 licenses. That’s a supply. That’s a whole different ball of wax than when it comes to a services contract. So if you can start getting, looking at the problem. From I need this service provided to me. And part of the service is just happens to be, uh, continuously updating, providing new tools and enabling developer productivity through, you know, equipping them with the right. Uh, the right things to do their job that then opens you up to having these conversations around. Okay. It is a service. We don’t have to wait for these licenses to expire. They will then, it’s almost just like a bill of materials that they would then just take over the management of those, of those capabilities for you. So that’s definitely, you know, in my opinion, the only way to go, just because you asked the question earlier of, Is the tool, what’s the tool in five years from now, no one’s going to be able to answer that because, you know, open source tools come, come down the pipe and then you don’t need to buy this license. You can just, you know, download this open source tool and have your, have your, you know, tool chain team, not just become. A procurement shop, but actually become a shop that does engineering for you to host those tools in your infrastructure and connect them together. So it’s a whole service, um, false tools are 

Kevin Long: such an interesting place where tool chain is going to mad for sure, especially. From, yeah, yeah, not, not as much procurement, but then, you know, uh, I remember back when I was a developer, we weren’t allowed to use open source tools because you couldn’t vet all of the developers that that were working on it. Right. And, you know, how do you trust a 12 year old in Denmark to write code? That is that is the. In the best interest of the U. S. government, right? Um, but you know, it’s more and more security tools and things like that are actually focusing on being able to analyze and evaluate the safety of free open source software. It’s, it’s really exciting and being able to pull that stuff in and plug that in and do more engineering and less procurement, uh, with that. And it’s, yeah, I mean, a hundred percent, like a really exciting, uh, uh, uh, portion of the, of tool chain with that is. As FOSS tools become more and more, uh, frankly ubiquitous.

Adam McNair: So as a connected question to that, so, you know, one of the things when we went through our ISO 44, 000 certification process, one of the things that that informs in your contracts organization is that before you buy a tool or sign any real partnership, one of the questions that you’re really supposed to to analyze is What’s the road map of this tool and you can only see as far out as that company has plans or is willing to communicate them and things change. So there’s there’s this kind of shrinking window of certainty that that the further you get out in the future, depending on the tool. You know, we’re pretty sure that Microsoft Windows is going to exist as a general platform, et cetera, and I can say with pretty great certainty that, you know, Microsoft Teams is probably going to be a platform for the foreseeable future, and you don’t really need to have a note by it that says we got to pay attention to see where this goes. However, when you start to get into more niche tools, I’ve had a lot of enterprise systems management tools where. As I was supporting a government customer and you’re looking at their requirements, to Kevin’s earlier point, sometimes you have a tool where there might be only a feature or two of it that are really critical for your environment. And if that’s not within the sweet spot of that tool, they can just decide they don’t want to do that anymore. They can decide that as they evolve their tool or their suite, that they either will not support that feature. Or that they might require you to buy a whole lot of other capabilities just to get that one piece of that tool. So, there’s always this continued assessment of the lifespan of the tools that you have. And in any target architecture, you’re always going to have those kinds of machinations and changes. But it’s a bigger picture of toolchain and software factory. What’s next? If we’re kind of in the, the Well established early life span of toolchain as a service and software factory. What do you guys think is the next big innovative thing that you want to see happen or you think is going to happen in that ecosystem? 

Jay Sampson: Um, from my perspective, and obviously, right, I sell space for a living, right, to government entities. Um, one of the things that grants me as a purview talking to different organizations is a similar pain point. Um, I kind of have the same conversation over and over again, uh, at these kind of bottleneck points, specifically when we’re talking about contracting, when we get into the operational space with things like tool chain as a service. And what I end up doing a lot of times is just being a connection point. So I think what would be innovative in this space would be collaboration. Uh, There’s a lot of people that are starting a software factory, trying to establish a software factory, maybe have it established and trying to get to that next stage, right, running into that same pain point of scaling that Kessel Run did early on in its in its life, being able to share those stories, being able to share those case studies and being able to kind of use the wisdom that someone else went through and kind of save yourself a lot of heartache and pain. I think would be amazing. There’s a new wave of leadership that’s that’s coming up right that sees the value in it. I do think we’re still in that stage where there’s a couple of organizations and entities that may be having an outdated or an old approach to what this means to maybe haven’t fully grasped the value of it. And there’s some people who really know how to operationalize this thing and just really need to be unlocked so that they can push it as far as it needs to go. So in that, it would be that cross collaboration. It would be sharing of those, those past, uh, mistakes and learning from those. That way that these smaller organizations are ones that are getting off the ground. can do so a lot more efficiently. I mean, I’m looking at Spectrum Warfare, ECMA. I’m looking at different organizations and some really smart and amazing people associated with it. Right. And so being able to move quick, right. And move efficiently, I think would be super beneficial. 

Matt Nelson: Yeah. I think like specifically with, with tools is I’d love to kind of see this, you know, the government. Zeo trust model, a hundred percent, you know, we, we have trust issues for a reason, right? Like we’re keeping our national security secrets alive. So, um, but I love what the iron bank concept is over there on, you know, the, uh, platform one team of pre vetted. You know, sets of tools that contractors have gone through the assessment process and they gotten the green light to say, yep, these, these tools are good to go. And every time a new update gets delivered, they go through that process again, which is a really cool concept. But I think pushing that even further to like, a hybrid SAS model to kind of Jay’s point of, Okay. Truly collaboration with these tool developers and putting their, you know, putting their infrastructure on to a government certified, putting their code on to a government certified set of infrastructure, like gov cloud or anything like that. Because, you know, FedRAMP processes take a year and it’s very cumbersome and I get that, you know, these. Commercial SAS tools, they don’t necessarily want to, you know, or, and they don’t want to like hand over their keys to the kingdom and put it on a different set of infrastructure and networks. And now you have to manage two baselines. But if, if you find the right contractors or the right SAS providers to provide that hybrid SAS model, because there’s, there’s probably, you know, profit to be made in that area, you can then, you know, take advantage of. The turnkey that is SAS, but still do it in a secure way and not have to go through the expensive and timely FedRAMP process if you are trying to be a third party reseller to the government. So just more ways to kind of hack that bureaucracy, what I think is going to be, you know, the next thing, because it’s always about trying to, you know, eliminate The constraint, I think the constraint right now is it’s either you have, uh, you know, open source tool that you can do every single code check you want on it, but then you have to kind of manage it. And, you know, that comes with the logistics tail, or you have to look around the peripherals and do your own security assessments, but it’s not like. The, the in depth assessment that makes the zero trust community feel good. So there’s gotta be a blending there. 

Adam McNair: I know here are two concepts that, that I think, um, makes a lot of sense. One is that from the, from the tool vendor side, you know, this is, this is That kind of intent of tool vendors to participate in the security construct is a lot of what the CMMC methodology, you know, there’s a lot of words in there. There were a lot of complaints from organizations. I sat on the, um, The advisory board and I, I’d be in some of those sessions and I hadn’t thought about the fact that, you know, when those requirements came out and we read them and we were getting compliant and said, okay, well, this makes a lot of sense. There were companies in there that would say, well, but 3 percent of my total revenue is federal. If, if I’m only selling 3 percent of my tools to D. O. D. why do I have to transform my entire enterprise to be compliant with this? Uh, now the kind of the, the most obvious. Kind of example there was, there was a company that made bolts for, for, you know, machinery. They said, just because I sell these bolts to, to DOD as opposed to these other ones, am I supposed to change the way that I do everything so that, you know, my purchasing department has to, has to do everything different? So there’s definitely that aspect. So I think your point about you don’t have to get everything fed ramped. There’s a, there’s a, you know, coming up with some way to get some of those tools hosted in a gov cloud environment where they can start to think about having an enclave where they are maintaining a federal version of a tool. I think that makes a lot of sense. Um, and the other thing that I heard if you guys were talking is, Okay. Think that mindset that your tool chain is not an inventory purchase, but it’s a service is a really big deal. Because one of the things that I saw early on when cloud came around was that the government wasn’t used to talking about cloud from a procurement standpoint because they were used to talking about A hardware purchase where they were going to buy metal and put it in a room somewhere. And then they were used to talking about a services purchase where they were going to send people into that room and take care of that metal. And one of the things that was an acquisition challenge when cloud came along is they said, we want to do this cloud contract. And they’d say, okay, um. Well, but wait a second. This has hardware in it. You go, well, well, it’s, but it’s, it’s all integrated. We’re, that whole mindset of we are going to buy the service of when we want to light something up, they take care of it. That mindset of going there from, well, where’s my purchase for the materials? Well, it’s in that. Well, that, that was a mindset change. And it sounds like the same thing, uh, it is. On the cusp there from a tool chain standpoint, because again, you know, the idea that there’s an overall consciousness in the federal government, what I’ve experienced is it’s a thousand small pockets of consciousness about how to do a thing, you know, and to Jay’s point about trying to share lessons learned and get people together so that we don’t have to continue to reinvent the wheel here, makes a lot of sense. Have you all seen, yeah. A forum where you’re seeing those kinds of conversations happen. Is it happening in FCA? Is it happening in Act IAC? Is it happening in informal organizations? Where are government customers able to talk to each other and understand how these things are being done?

Jay Sampson: I mean, I’ll chime in there.

Definitely FCA. Definitely. I, I would say, um, uh, defense entrepreneur forum as well. I just say just rule of rule of thumb. Whenever people get together, especially in a government environment, people talk and people share their other giving nature. The entire thing is built around service. Uh, and when you’re dealing with, especially, especially, especially, especially innovative efforts, everyone has a really deep desire to do something really well. When you get people together, whatever form that may be, um, that’s when that kind of takes off. Something a little less formal, I would say. Something more so where it’s just conversational, that’s why I love being on this podcast with you guys. Um, Association of Old Crows is another podcast I listen to as well, right, where you just exchange thoughts and ideas and in those environments, that’s when you see, hey, I had this really strong contracting problem. That I just could not figure out when you talk to somebody else that you know, that’s within the industry and they already had that solution figured out. Like it’s not even a thing for them. You just have a conversation and all of a sudden the dots are connected, right? The lights light up. Um, so I would say definitely that I love what FCA does, especially from a small business standpoint. From there, they’re solving a lot of issues just from the private sector, being able to support the government in an efficient way, getting over those bureaucracy hurdles and what have you, uh, having the right connections, being able to align your business in a, in a way where it needs to go, you know, Uh, but yeah, definitely that, uh, anything that’s, that’s event driven more so, and I know COVID is a, is a heck of a challenge that we’re all experiencing, but being in person and sharing thoughts and ideas, it’s amazing how many problems get solved just in a conversational form.

Adam McNair: Yeah. And building on that. So, yeah, I do have one question that is, is, you know, software factory related is certainly, you know, we, we have been in. physical environments in software factories. We have gone completely virtual in software factories. You are certainly at the tip of the spear, I’m sure, in a lot of those conversations about where, what’s the future of, of, you know, what’s current state, what’s future state. Uh, what do you see customers doing? I mean, if they, if there’s uncertainty around Their physical environment. Uh, what kind of advice are you giving them from that perspective? 

Jay Sampson: Not for sure. I, I, so what I’ve been able to kind of surmise from my interactions and seeing all of these things, one, there’s still a deep desire for everyone to kind of be together in one space, right? Just collaborating in person. I mean, you just can’t beat it. Right. But there’s also the luxury of. Kind of what we’re all doing, right? And it’s working from home. So the sweet spot moving forward, especially, I think that I just read that there’s another variant in France that just popped up, um, which is like just going to add on right after the Omicron disaster is hybrid work. Giving people the option of being in the office or working from home. Kessel Run is another great case study, right? When they had to go to all virtual, um, it was a Herculean effort in the beginning that, that rapidly became easy because it was just, you set people up with tools. They’re really dope at what they do. I mean, they’ve hired some of the best people in the world, right? Uh, and so they were actually a little more efficient working from home than working in the office. Um, now I do think there’s certain things that you miss from that, right? When you’re not there every day, just having a stand up where your entire organization meets in the morning. Again, the conversations that come out of that, it, it, it bleeds over into the entire day. Uh, but the future of work, to be honest, is going to be hybrid. It is going to be flexible. It’s going to, um, it’s going to. Be a situation where organizations shrink their portfolio instead of having that massive office space that really may be only at 60 percent capacity pre COVID. And, uh, you know, during COVID, now you’re at maybe, uh, 10 to 15 percent shrink that down, give people an option to come into a, uh, a shared coworking space. And I, you know, I say this because I work for the organization, but I can tell you, honestly, this is where it’s going from a government standpoint, from a private sector standpoint, uh, because it touches, uh, things like, uh, talent, attraction, and retention. Being able to hire the best talent from with somebody who may be in California and you’re based in Virginia, what have you, right? Like you got to be able you got to be able to give these people some options. So it’s going to be flexibility, uh in a hybrid approach moving forward.

Adam McNair: Yeah, and I would tell you this much from uh from a business perspective I have seen merger acquisition deals die because of giant lease footprints. Um, I’ve, I’ve been charged with figuring out ways to, to, to turn the kind of financials of an organization around and the, the most money I’ve. ever been able to save somebody was on real estate. It was millions of dollars a year. And, you know, the, the day I took that gig over and they said, look, we got to figure out how to actually, you know, turn a profit. And, uh, I walked into a facility in crystal city. You could have set up a bowling alley, um, five Oh five basketball shuffleboard. All side by side. I mean, just I’m talking about thousands of square feet that because there was a pivot in how contract delivery was going to happen, the company was paying, you know, a couple million dollars a year for unused space. So that’s dealing with that. And that was just kind of the old uncertainty. The new uncertainty, to your point, it makes a lot of sense, um, you know, to make. More flexible plans for the future. And so that said, I mean, on the last note of flexible planning and in person activity. So I know we’ve, we’ve talked, I think, in, in different, um, at different times about, you know, what event we would be at or when we would be going, uh, you know, going to. Uh, we went to the Act IAC ELC conference, which was back in November. Uh, to Jay’s point, everything keeps evolving. Uh, we’re certainly talking about, uh, the offset symposium coming up, uh, in Detroit, which ties into a lot of these, you know, the acquisition, uh, Challenges, acquisition, thinking, acquisition, strategy from an actual security standpoint. Uh, are you guys headed there? Or if somebody wants to bump into you in person, when’s the next time you guys are going to be in a live, real, in person event? Theoretically, assuming everything doesn’t change dramatically in a week and a half. Yeah, 

Jay Sampson: I’ll definitely be at the offset. It’s actually going to be at, uh, at one of our locations there in the Detroit area. I do fervently believe that that’s going to be one of those opportunities where when you have the in person engagement, there’s going to be just so much that comes out of that. Uh, you’re dealing with an organization that’s standing up a, uh, a software factory, as it were, uh, this one a little bit more truer in the sense than not. Um, but what, what the, the learning and the people that will, that will be coming together, uh, in that, uh, I think it’ll be setting up the government for, for, uh, for extreme success. You’ll definitely see me there. Uh, I’m in D. C. Uh, there’s, there’s, we got about nine or 10 buildings that I’m usually in once or twice a week. Uh, so you can see me anytime you want. I’d love, I’d love to meet anybody at the space, but yeah, definitely be there for sure. 

Matt Nelson: Very cool. Matt, you headed up there Detroit way. No, but now that you mentioned it, I might, uh, put it on. Oh, you’re going. Yeah, 

Kevin Long: I think we’re going to see you there. 

Matt Nelson: I love it, 

Kevin Long: man. Yeah. Thanks 

Matt Nelson: for the invite. I appreciate it. Um, but yeah, like just to kind of, you know, sum up this conversation, I, I’m a firm believer that environments shape outcomes, right? So if, you know, unfortunately a lot of the, the federal buildings and the, and the military installations. Their environments, you walk into those environments and they are not like state of the art. They are not competitive, uh, when it comes to attracting talent and producing those good outcomes. That’s two cities from the 70s and the 80s. So, uh, either, you know, spending the time to, you know, Invest in the existing military installations or creating something like a WeWork where you can, you can flex as you grow and then flex back down when you need to as well to have that additional flexibility. I think like that’s such a key, a key thing for these software organizations as they’re starting to, you know, grow and bud, right? Like these, a lot of seeds have been planted. In the last three or four years and for us to garden that ecosystem and not revert back to let’s just outsource things and get, you know, software code mailed to us again, you’re going to have to have a dedicated, you know, environment, um, And last thing is like Jay mentioned, like when, when COVID hit, you know, the software tool chain team was the one that was helped because it’s a service. They could flex, get more BDI help with white listing accounts, doing all of that stuff. They’re like, if, if you didn’t have that, if you just had a bunch of licenses, now you’re having to go out and acquire that service and you’re, you’re unproductive for six months. So there’s just a lot of, uh, a lot of good lessons learned that COVID has. Uh, has, you know, you know, the silver linings that COVID have brought into us. But, uh, one of them, I’m firmly believer that like to Jay’s point, like you can’t just work behind a computer all day and get the same vibe and the same, like just love of passion for life when you’re actually collaborating with people or social animals type of thing. So let’s not, remote work is great. But also have options is all I’m saying. 

Adam McNair: Yeah. Yeah. Yeah, I think that makes a lot of sense. And, and the thing, you know, I, it, it, it can’t be, you know, stated enough that attracting talent in the future. We have an entire workforce now that has experienced remote and or hybrid work. And. You can have a lot of people that are going to want to stay deliver, you know, delivering services in that environment and our physical facilities need to allow for that. And there’s a lot of government buildings. There’s a lot of old commercial real estate that if you can only put 6 people in a conference room.

If you can only use an old dial in phone and then you spend 30 percent of your time trying to explain, well, are you seeing what I’m seeing? No, go to this other slide. Well, no, no, you’re on the wrong page. That’s not no. A plus resources are going to accept that anymore. And so the efficiency that we’ve seen and the ways we’ve overcome some of these obstacles, I think we need to make sure that both from a procurement obstacle standpoint, from a physical environment obstacle standpoint, that we don’t, we don’t forget about the fact that overcoming those. Is a big part of all the efficiency in the innovation because tools are just tools. And if you can’t get them or you can’t get the people to use them, you’re not going to end up with real value for your organization. Well, guys, thank you so much. It’s been a really great conversation. I know we’ve had great opportunities to work together in the past and certainly in the future and really appreciate your all’s insights on it. Your unique areas of business. And so I just wanted to thank you both. So thanks to Matt Nelson, to Jay Sampson, Kevin Long. Thank you. Victoria Robinson will be editing this up for us. Thank you for participating. Emily Scandalberry. Thank you, Kevin and Emily. And I’ll be at offset coming up in March and then wanted to remind everybody to, uh, Keep up to date on things going on with Highlight on our, uh, our website, HighlightTech. com. Also, upcoming podcast, we’ll be talking about our small business partners and some of our utilization of the small business program, uh, with, uh, our partners, Audley Consulting Group and RP Professional Services. Thank you all very much, everybody. Happy New Year, and we’ll talk to you soon. Thank you.

Announcement: The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect highlight technologies and or any agency of the U. S. government.

Announcement: Broadcasting from Fairfax, Virginia, you are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Hey, hi, and welcome everybody to the Highlight Cast. My name’s Adam McNair, we have with us today Kevin Long and Kevin Milner. Hey guys, how are you? Good, so if, uh, now, first off, if you haven’t listened to our first episode that we did on DevSecOps, I would recommend that you pause here and go back and listen, uh, DevSecOps walkthrough, really what I would say is a walkthrough for a layperson, um, somebody that, you know, I’ve, like, like myself, I’ve, I’ve done some things in software and so forth in the past, but, uh, Definitely not a hands on, uh, technical architect or anything like that at this point. So I thought it was a very good conversation and we certainly hadn’t covered everything. So we had talked about the benefits to organizations of DevOps. We had talked about how we had seen some of our customers. Adopting DevSecOps because it is a transformational activity. It’s not like you just make a decision that you’re going to do it. And then all of a sudden, you know, you’re a DevSecOps organization, right? So we talked about that. And, um, Today, I think that the things we wanted to talk about were, uh, the toolbox that you need to implement DevSecOps and how to build a team, uh, to deliver in that way in, you know, in the, in the federal marketplace. So we talked about that. It’s, it’s a, it’s a tool heavy. Activity or you lean on tools to be able to automate things and so forth. So I think it begs the question, um, so what are the tools that you guys, you know, typically kind of are, are the major core go to go to tools? 

Kevin Milner: I would, I would say that like a lot of the tools that you’re going to lean on for DevSecOps are going to be, uh, you know, If you look at it holistically from, from the start of the pipeline on, you’ve got, you know, first you’re linting tools that make sure that the code is, is, is like, you know, properly formatted and stuff.

Then you go and you do your, Your unit tests, but then you also do you want to have a suite on your toolbox of like, um, security tests and code validators like sonar source and stuff like that so that you can really make sure that that’s part of your pipeline. And then, uh, other tools you might. You might use our, um, you know, diagnostic tools are really handy to have if you’re, if you’re looking at net security, you might use like Wireshark.

Um, my preference is to try to go for free and open source tools as much as possible, at least in this sort of space. Um, Just, just because generally they’re, they’re better vetted and people, you know, uh, are able to, um, you know, if you, if you have code that like everybody in the world can look at, then you can be, you can be pretty sure that if there were some problems with it, somebody would have pointed it out, uh, 

Kevin Long: When I think about the tools also, though, I think about it is sort of like turning software again into a factory and things that automate different processes, right? So, Kevin living in this every day has has has gone gone to the to the deep, some of the deep facts, which I love. But then there’s also been like the base automation tools out there that you get like, you know, Jenkins and SonarCube and, and then you end up and Maven and, and, and Gradle and tools like that are Ansible and, um, Chef, Puppet, uh, all of those really that allow you to, to push your code down the, it’s like making, making it a conveyor belt, you know, that which moves it, moves it. Moves it along through the process. 

Adam McNair: Now, where are we from the standpoint of interoperability? Are we, do they all kind of work with each other? So that if I want a automated unit test tool, will all of them work with the, you know, whatever the precursor tool would have been? Or is it some are better than others?

Or how, how does that, How good is your DevOps engineer? 

Kevin Milner: Generally, uh, generally the way it is, is set up, you have tools, you know, you’ve you’ve heard the phrase the proper tool for the proper job. So, so some tools are better at sort of generic analysis. But then other tools are specifically made for like the language and environment you’re working in. For instance, you can’t really easily use, um, say like Maven to compile NET code. It’s possible, um, and it comes out really messy. But, uh, you know, you can do that. But the better, the better. The better choice would probably be to find a specific tool for that particular implementation. Um, you know, in some cases it’s useful to have a tool that can reach out and talk to a Windows machine or a Linux machine or a Mac OS machine. But in other cases you’re going to really need to focus on what your specific application is in order to make sure that the tool properly works. 

Adam McNair: Okay, so it kind of goes into the category of the MacGyver type aspect of there are some things that will do what they are intended for all the time and then you can take something that’s not ideal and Maybe you can patch it around and rig it so that it will do something, but it is probably not ideal for the task. Yeah, 

Kevin Milner: and it’s sort of, there’s, there’s sort of two philosophies, I’d say, in computer science, or at least in, in this sort of thing, there’s either the idea that you have a whole bunch of little tools that does one thing really quickly. Uh, and, you know, you know, every time you type. Mv space file name space destination. It’s going to move the file. It’s not going to, you know, reset security, stuff like that. Uh, and interesting analog to this might be in chip design. Originally, the, the PC chips, uh, the IBM compatible chips for processors were designed using a complex instruction set. You have a rich, robust set of functions that don’t do each, each one does a specific thing and you have this, you know, really complex way of using it. Then, you know, you might, you might think of that as like trigonometry. Uh, you know, you’ve got all this, these complex equations to do things, but they only do the limited things that, that, that they do. Then the other option would be what Apple chose, um, which is the reduced instruction set code, which is. You have, you know, uh, basic, simple tasks that you do, and then you build up the more complex tasks from the simple set of tasks. So, uh, so you end up with like a much simpler, Design set a simpler tools that you have to be more creative to use, uh, to do what you want. So it’s sort of a, you know, a philosophy of do I want stuff that does, you know, these complex, actions, but, but that’s it? Or do I want to build up the complex actions from simpler sets of steps, which would be like, you know, arithmetic in a math example I was using earlier. 

Adam McNair: So one could also crosswalk it, like I think of, so when you look at a LEGO set, there are some of the LEGO sets these days that have customized pieces that It’s the top of the cantina in Tatooine or whatever and that’s but that’s really all That’s all it’s going to be because it was custom designed for specifically that purpose Whereas theoretically if you just had a large enough collection of one by one bricks, you could build anything you wanted 

Kevin Milner: Yeah, exactly 

Adam McNair: Got you.

Kevin Milner: It would be more effort, but right you you know, you have that one tool that you know I mean that one One by one brick, you know, it’s properties. You know exactly how it’s going to work all the time

Adam McNair: now. So really often in DevOps or DevSecOps, how frequently have you guys seen that you walk in and get to pick your own tool set versus that there’s an existing tool set or some kind of give and take? Where they’re wedded to some things, but they let you pick other things. 

Kevin Milner: Um, it, it happens both times, uh, obviously when you have like a, uh, um, a Greenfield project where you’re, you’re going in and starting from scratch, that’s obviously you have a much better chance of choosing your own tools. With Kessel Run, for instance, um, Nope, 

Adam McNair: had a little breeze on Kevin’s end. 

Kevin Milner: Oh, okay. Sorry. Um, at Kessel Run, you know, we had an existing environment that we were expected to integrate with. Uh, it was already a macOS environment. Everybody’s developing principally in Java, excuse me, JavaScript. Uh, so, so that sort of, you know, Dictated what tools we could look at when we went to say, okay, well, we need a specific tool to perform linting. Um, you know, the linter needs to know what javascript looks like as opposed to cobalt or something

Adam McNair: Okay and As a DevSecOps engineer, now, like I think back to when I’ve had development teams and you kind of either had a Java developer or you had a NET developer and occasionally you would have some real rock star expert Something that would work on both usually in an environment where they had both applications for some odd reason, and they needed somebody that was conversant in both. But typically I always saw you either had a dot net or Java team. That’s kind of how it. In the DevSecOps space, do you view yourself as a proficient user of a certain set of tools? Or is it more the theory of it, and you can sit down and use any tool once, whether it’s documentation or a little bit of just understanding of, you know, you’re watching YouTube on it, however.

Kevin Milner: Yeah, they call those full stack engineers, and that’s what everybody wants. Thanks. Now they want, they want full stack engineers, not, not a front end guy or a back end guy. They want somebody with full stack plus DevOps plus, you know, electrical engineering, uh, all that kind of stuff. Um, but in terms of, uh, Myself, I try to view myself more as a generalist that, um, you know, adapts sort of the basic theory to whatever the application is at the time. So, I mean, I’ve done DevOps for, for a software migration. A data migration platform, uh, and I’ve done, I’ve done a form of DevOps for the tool chain team. So, um, you know, at Kessel Run. So it, it really is a base theory that ideally you could apply to any sort of, 

Kevin Long: Programming is a mindset. The rest is syntax.

Kevin Milner: Yeah. Or, or my other, my other favorite phrase, you can, you can write Cobalt in any language. You can program in Cobalt in any language. I 

Kevin Long: mean, that said, I mean, everyone is going to have a strength in a different part of it. Right. And, and that’s really where you get the nuance around it. And so, uh, well, you’ll have someone that’s amazing at JavaScript, you know, they’re, they’re not going to be confused If they need to open up Eclipse and start writing a bit of Java, right, or they’ll understand a bit about, uh, you know, I don’t know, EKS maybe, or something like that. But when you get into something like EKS, then you’ll probably have someone that’s come into DevOps through the standard sysadmin infrastructure build out. And they wouldn’t necessarily be confused by, you know, some Java or some JavaScript, but it’s certainly not their strength. And so Kevin’s absolutely right. Everyone is is searching for the full stack everything. Nobody’s a full stack everything. There are people that understand the principles of it and are able to get smart on just about anything from what I’ve seen. It’s, it’s, it’s a lot about the mindset, willingness and because DevOps and DevSecOps is so new, it’s people that love the readme files. That, that do well with it? I think yeah. 

Kevin Milner: If you like to read documentation, this is, this is the position for you. 

Kevin Long: Yeah. ’cause the tool that’s amazing today is gonna be obsolete in, in, in a year. 

Adam McNair: Yeah. 

Kevin Long: And, 

Adam McNair: and I, I, I saw that. So when, when web apps started to become a thing. I feel like every little tool that existed that either allowed you to cache data so that you could have a disconnected user, or it allowed you to dynamically pull information from some place and display it on part of the screen, which all sounds pretty simple now, but there was a time where That wasn’t very simple, and you’d get this little plug in thing, and you’re right. It came from a random developer organization, it had a README file, and it was really about who could understand conceptually what it was trying to do and how you configured it. And half the time you’d have to look at what, what variables can I configure in the thing, and that would tell you what it was looking for. Um, so that, that makes sense, you know? And I think A lot of the, the emphasis, you know, like you say, on, on full stack engineering, I think it’s pretty common for staffing lists initially to be built with kind of some guesswork in mind. And if you go with somebody that can do everything, It’s, your staffing plan’s probably, probably accurate, you know, because if you went down the path of how many people do I need that know this or that or this other thing, you can be wrong, because I’ve had that happen to me before. I’ve, I’ve won programs and showed up and they said, And by the way, who’s going to manage the servers? Well, what servers? Well, there’s this one bullet in the Statement of Work that said, you know, and, and other systems support, but that means we have a data center and we need the servers maintained. Oh, and so you can get things wrong, whereas if you have people that are experts that know how to do everything, you have that comfort factor that if something goes sideways, if something new happens, if you want to do something new, that You put four or five of those people together and they’re probably going to be able to figure out what comes at them. Um, the question I guess I’d ask around that is, that’s mindset difference. That’s a different approach from instead of give me three of these people and four of those people and I need this many of that people and all these different work streams and swim lanes of people and different kinds of engineers go into, uh, Heavy full stack organization. What else when you go to DevSecOps, just as the typical, you know, I work in Agency X and I have this application that, you know, I’ve been responsible for managing as my team did, you know, a couple waterfall deliveries a year. What are some of the major changes that happen when you do that?

Kevin Milner: Well, um, you know, some of the major changes, I guess, If you, if you focus too heavily on generalists, then you lose out on some of the, the, the specialist skills and, or it costs you more, uh, it’s one of those, you know, powers of three type things like price, quality, and, and speed, you can have two, but not the other. So I look at it sort of in that sense that. You can get a lot done if you have some general, general skilled people, but then if you get into something like, you know, needing to, to efficiently move gigabytes of data from one place to another, you’re going to need a file system guy for that, because, because your generalist just isn’t going to know the, the, the details of how to really make it efficient. So, you know, I, you could even, even say that, you know, Even if you have like a large team of, of generalist engineers, you probably are going to want to have at least one or two specialists for your, for your field, uh, for the, the, the space that you’re in just Just to make sure that you get all the details covered. Was that an answer to your question? Yeah. Here’s another, 

Adam McNair: yeah. Here’s another question along that line. So let’s say I’ve got an organization, um, that we’ve still got legacy stuff, right? Mm-Hmm. . I’ve got, I’ve got a, a, a legacy system that is. feed some other systems. Can I go to a DevSecOps environment if I have some kind of old, creaky application? 

Kevin Milner: You Can. You can, you can do anything you want. Um, but you know, the effort involved might, might make it, uh, impractical to do so. I mean, if you’ve got a situation where you’ve got like this really old code that communicates with a a server somewhere over open text. Um, you can’t, you can’t really put that in a, in a DevSec environment, uh, you know, without, without some changes, making sure that you follow proper encrypting protocols and things like that. So, so again, it comes down to a balance between, um, uh, you know, practicality and, and, um, You know, benefit of, of doing so. Um, a lot of times people, especially like, you know, in the higher levels like to see the checkbox clicked. Okay. We’ve got, you know, this, this sort of, uh, compliance. With with this best practice, but if if it if it took you a long time to get there and and too much effort, then 

Kevin Long: yeah, but if they really want to cut over, I mean, let’s let’s walk down somewhat of the happy path because sure.

I mean, there are definitely old systems out there that it’s probably better to rewrite a lot of it. Yeah, but, but if you have some part of like a legacy system that that could be extracted, like, you know, like some sort of data sharing where it could be turned into a service, right, a web service out there, right? And with that, then you really could decide to start doing some, some DevOps stuff with that really to spin that up. Some of the major things that you’re going to have to change. Um, Yeah. Are you have to change the way your teams are put together. You’re not going to have a testing team, a development team, a production team and an infrastructure team.

Speaker 3: Yeah, 

Kevin Long: you put them all together and they’re all working for that. And so there’s a lot of times when you’re cutting over from old old in quotes to new in quotes. With that, there’s a lot of change management on the on the organizational and political side. Yeah. To get that put together, right? So where everybody is working together to push off is one of the core elements of, of DevOps is that you have everybody working together, right? You have development ended in years of security, all, all, all, all pushing, pushing it from the, from the same team. But then you also have all those tools that Kevin talked about in the beginning. It is a non non negligible amount of startup to, to put together a pipeline, uh, to have people that have done it before. If they’ve never done it before, to go through it, get to the read, get through the readmes, learn how to be able to, you know, connect your Git repositories through, through, uh, Jenkins to have thresholds put on a Sonar cube, uh, for, for code coverage as it’s running through your, your, your, uh, Selenium tests, right?

And things like that. So it, to, to spin it up, I mean, it is, it’s awesome. It will. Overtime save you time and it will allow you to deliver more value to your customer faster over time. But it is, it is an investment to, to, to cut that over for sure. To, you know, even on full and open, uh, uh, free open source software, you know, it’s not free engineering to, to put together and build, uh, a resilient pipeline. It is not, uh, without political capital to rearrange your software development and infrastructure shop, um, uh, to, to do all of those things. But where you have, where you have, uh, a legacy system that can, that can have incremental things, you know, sort of strangled off of it. Uh, uh, there’s whole design patterns around ways you can pick and choose small elements off of, uh, off of, uh, sort of larger monoliths to, uh, to, uh, make them more loosely coupled, which work really well in, in, in a DevSecOps environment. To make that shift. 

Adam McNair: So you’ve got two, two big categories of call it effort. You call it challenge might be some combination of both, but you’ve got a significant level of effort project to be done just to stand up the tool chain, the pipeline so that, you know, if you take it back to kind of a real world example of if you’ve, if you’ve had six people, You know, chess pieces and you decide that you’re going to make a factory that does this. You have to build the assembly line that makes those things. So you’ve got a significant undertaking to do that, which means you likely can’t use the same. People that you have doing your existing O and M because they are likely to either not have necessarily the skills or they are likely to not have the time. I mean, I guess it comes back to depending on how much, you know, what’s the stability of the system that they’re on and I guess I’ve been involved in, in software O& M projects where everybody seemed fine and it was kind of orderly and there was a backlog of, of enhancements is really what they were prioritizing around. So I guess if, if you were in that environment, that could certainly work. 

Kevin Long: If it’s not a bubble gum and bailing wire kind of place, uh, the existing team could almost certainly do it. And honestly, if you were to talk to them. I bet, I bet you 80 percent of the folks on the ground there would be excited about it because they’ve been reading about it, looking at it, and probably interviewing for jobs at places that do it. That makes sense. 

Adam McNair: Yes, I guess it’s also possible, you know, I think one of the things that, um, that we’ve done, you know, Kevin and I, For years is to bid jobs in places where they wanted to modernize software. So it’s possible that I’ve seen an overabundance of O and M organizations of the bubble gum bailing wire type where things are broken. Things are not backed up. You know, you’ve got. Developers that say, like, you know, I haven’t taken a day of vacation in four years because this thing goes down at least twice a week because as soon 

Kevin Long: as it sees I put in PTO, it starts to smoke. 

Adam McNair: Right? Right. So, so if you have a reasonably executing environment. Yeah, you could probably do it with your team. Uh, so that makes sense. Then from a, an organizational kind of thought process standpoint, you know, typically you have this, this Burndown list of user requirements where they’ve got some enhancements they’ve requested and so forth does DevOps dramatically impact that side of it. I mean, because you’re still you’re still getting your requirements from from the user base. Um, and I guess you’re not necessarily burning through them dramatically faster than you were before. It might just be a more efficient implementation. How do you see that work? 

Kevin Long: So let me give the management side on this first and then we’ll get to the tech side. What you see with the DevOps from a management side is you don’t see human error in deployments happen as much anymore. That’s really what you see. So the quality of what moves from dev to test to staging to prod is far more consistent because there’s literally no fat finger involved to fat fingers. Right. And so pipeline done right. You’ll catch those errors earlier on. That’s what I like about it. 

Kevin Milner: Yeah. Yeah. So, and also from, uh, you know, from the state, one of the ways that it can really impact is. Is you can set up a system if you have good management of your pipeline and your repository and stuff you can and you set it up with branches feature branches and stuff you can have it so people are working on parallel things without affecting each other so you might have one person working on you know the UI and another person working on the rest server in the background and anything that the UI person does. Isn’t going to affect that. And so you can build the product so that, okay, we can put in the new UI. Can’t call any of the new stuff in the backend yet, but it’s there for when we want to. And, you know, say the backend hits a major problem and they get delayed by a sprint. Well, you know, your UI guy can then go work on the next sprint worth of stuff while, while the backend guys fix it. And if you’re. If the pipeline is correct, then there’s no cross contamination of the branches. You don’t, you don’t end up with shipping, you know, a product that has the new UI, but has a UI that has this broken feature from, from the back end in it also. So it, it lets you be more granular about. Um, you know, requested new features or fixes or whatever, make it into a given, uh, distribution.

Adam McNair: And so you can definitely have what I’m hearing is more efficient use of resources, more efficient use of time. And it takes out some of the critical path areas, because I’ve definitely seen that before, too, where you have a development team. And, I mean, it happens on any team, but Out of 20 people, there’s a few of them doing nothing because it’s not time for them yet. And so because of that, um, You know, that’s, that’s the, a frustrating thing as a, as a, a being involved either as a user or as a customer where you’re there and you’re like, you’re both telling me that we’re, we can’t get this done until a certain date. And I see that we’ve got people that when you look at the, you know, the overall resource allocation, they’re not actively doing anything right. Exactly. Um, or they’re doing some task that’s way, way lower priority. But you say, why can’t they delay that? Like, well, but they can’t do that yet anyway, because they have to wait for these other things to be done. So, so that makes a lot of sense. Um, from a, a team construct idea, how different is it? Like, uh, are, are you used to as a developer? Are you used to not having any of the infrastructure security types talk to you when they do? Is that beneficial or does this get down to just it’s personality driven or how does that normally work? 

Kevin Milner: I mean, it’s, it’s a little of all of the above. Uh, all I can really speak from is, is, is through my work history, but I’ve worked in places where, um, You know, the release engineering would refuse to update the actual build environment that the code was built in, so we were still using Visual Studio 98. This is 2007 2008, somewhere around there, and 98. Only the most current. Yeah. Um, well, but, but the problem was the, the, the code we were working on in this case was medical device drivers. Um, it, it required windows, I mean, uh, Visual Studio 98, but the the main application, uh, that would take the data from the drivers was written in, uh, starting at a certain version number was written in dot net Visual Studio, and so the problem with that was, as a driver developer, I had to release two different applications Driver versions, uh, one for the, you know, pre version 4. 5 of the software that would work with visual studio drivers and one with the next version. So, so the inability to get, to get, um, release engineering to take that supported version. And update it to use this new development tool because it was completely incompatible, uh, meant that, that, yeah, it was a lot of extra work for us. Whereas had we had more of a team focus on agile DevOps and again, this was, This was early mid 2000s. So, you know, uh, things were different then. But, um, it made it so that there was a lot more work for, for my team, the, the, the driver team and, and, A lot more testing that had to be done for for the the QA part of that because they had to test both versions of the driver and stuff like that. So it would have been really effective if we had had managerial buy in in that case to be able to make changes. 

Kevin Long: Yeah, I mean, I can tell you from way back in the day when I was a developer, you know, back in the State Department, nothing made me happier than when security got involved. Earlier on, because I’ll tell you, nothing breaks software like applying Stig’s that you didn’t develop against.

Kevin Milner: Yep. 

Kevin Long: And literally, you just, I mean, you develop everything and then it’s like, Oh no, well, you can’t use this feature because.

Kevin Milner: We need encryption at rest.

Kevin Long: Well, I mean, or, I mean, or just, oh, you thought you were going to use this port. Oh, no, no, no, no, no, sorry. Right. Uh, just so much stuff. So getting, uh, the, the sec in DevSecOps, where you’re looping the security folks in earlier on is so much better.

Kevin Milner: Yeah. Yeah, absolutely. And, and that’s, I think what we talked about. In the last, in the last, uh, podcast was that, um, you have to, you have to build security and from the beginning, uh, it, it’s not something that you can reliably, uh, shoehorn in afterwards. 

Kevin Long: And it’s not something regular developers think of.

Kevin Milner: Yeah, yeah, it’s certainly not, not something I, I can consider when I’m, I’m hammering out code. Yeah. 

Adam McNair: Well, it’s something, you know, it comes back to a general idea that, that we talk about a lot, which is, it’s much more common for organizational challenges to be problems than it is technology. You know, and I, I think back to programs I’ve been involved in where really for just sometimes personality reasons, but a lot of times the alignment of priorities in one group versus the other. You know, the, the security office’s priorities were driven by somebody that had nothing to do with this app you were doing. And so you were over there kind of begging them to do security scans so you could move on with your deployment and it was officially not from a priority standpoint. It was not what they shouldn’t do be doing at that point. But in a big enough organization, sometimes Well, it’s never actually going to be your priority. This system does not have a high enough impact for you ever to prioritize this. And that’s where like, you know, sometimes there’s a contractor, almost the personal relationship of, you’d have to go over and be like, please, please. Yeah. Would you guys please just like, look at this real quick. I mean, we’re all going to get in trouble and it was, it would have to take some kind of human appeal. So I, I wonder. In the federal space, where there’s kind of the added complexity, you’ve got contractors in the mix and not only do you have the federal organization and there may be one or more organizations there with, with different charters or alignment or whatever, but you’ve also got potentially multiple contractors where because of scope and who’s allowed to do what and who’s supposed to do what and who’s being paid to do what, um, you know, I mean, you don’t, you don’t go to your house painter and ask them to.

You know, put a new microwave in because you, the appliance guy is late. Like, and that, that, that’s the kind of thing that, that happens on government contracts all the time is just because you’re there working on something. You’re like, that’s not my scope. I, I, I’m not supposed to work on that. So I wonder if we have seen organizations. Undertake change, try to transform the way the organization is set up and then go to DevOps or they go to DevOps and it helps them push the culture and organizational change in in the places where we are are working. You know, Kevin, I know we’ve talked about, about your project and, uh, Kevin Long, you know, there’s some that you’re setting up now for DHS. Do those feel like the organization was really on board with the concept of working together and the contract is just a mechanism to accomplish that? 

Kevin Long: That’s a great question. So, our DHS work is not what I think is standard because I, I, I, Absolutely think that, that, uh, they made the decision that this is the way it’s going to happen and, and be damned if you’re going to get in our way of it, right? That this is, this is what it’s going to be, um, that they are, I mean, and DHS and a lot of their subcomponents are, are newer, uh, in terms of how they’re organized. And so being newer, they’re not. Has saddled with, you know, 25 year old DOD legacy applications that, that if it goes down, awful things in the world happen, right? Um, or that they were able to, to decide much like Kevin was talking about much more earlier on much more greenfield, we’re going to stand up this. We want to do it this way. This is the right way to do it. And so they didn’t have as much legacy overhead, I think, to deal with. Um, I think that. A lot of, of, uh, of other places I’ve worked, it is really folks, uh, coming around saying, no, this really needs to happen. And then having to push the organization forward with it, uh, because, you know, everybody talks, people see the benefits or hear the benefits and, you know, it’s, And, you know, act IAC and government industry, uh, groups where it’s like, Hey, you know, this is how we’re doing it. And you have CMMI talk about even have PMI, uh, the project management folks coming in, getting in on, on Agile and DevOps being the natural, uh, natural progression on from that natural next step that they want the benefits. And then you have to say, okay, you don’t just get the benefits without the work without these fundamental changes to how you operate and are organized. And, um, uh, so I actually expected, uh, some of the Organizational pushback, uh, at our DHS stuff that we really haven’t gotten. It’s more like, no, this is how we’re going to do it. We, we believe it more so than at some of my other contracts where we’ve like helped literally design, you know, uh, agile and DevOps work and literally have to say, all right, when. Our customer doesn’t provide a product owner to sit in the meetings. You know, at this point, this is when we’re allowed to punch out and say, okay, you don’t get to do agile DevOps anymore. Now you have to do waterfall and your world’s going to slow down. 

Speaker 3: Yeah. Right. 

Kevin Long: Where I. We literally, you know, debated for two weeks about how much intransigence from our customers we could take before we had to, to, to bust back to the old way just to get something done. Um, so it’s, it’s very exciting on, to have. Customers in both sort of both mindsets. 

Kevin Milner: Yeah. Uh, Kessel Run, it’s almost, you know, sort of the, they were created as, as an agile shop for that purpose. That’s, that’s what they made for. Um, and since this DOD security right there from the beginning is, is. an integral part of it. So we were fortunate there in that they let us, they let my cyber security engineer essentially architect, uh, the entire approval process for the Kessel Run and potentially the Air Force and the DoD. So there’s been lots of interest from, from even higher up than the detachment for these, uh, this process that he developed. Uh, so we were really lucky with Kessel Run that they let us, you know, Make contributions towards the security posture of the development process.

Adam McNair: And I think that, you know, sometimes the comfort factor of how fast something is going has to be, has to be there quick. Is aligned with risky a lot of times, and it’s almost like if you got something done too quickly, if something got too easy, if a process got automated, are you sure that it’s, you know, still compliant with whatever? And realistically, it generally can be. So, like, we’ve talked a lot about. Some of the experiences we’ve had in organizations where this is kind of the way they do business in a very, like, it’s a cultural aspect of the organization at this point. Do you think we’re going to see a point? Because I would, I would translate this kind of to agile. But a little bit different, you know, the agile mindset, I think most federal agencies at this point would say that if they’re going to do development or in a lot of levels, just program management in general, that the agile terminology has really permeated, permeated the whole everything that you’re doing DevOps. Is some theory, practice, all of that, but it is, it carries around this kind of technical assembly line behind use and it has a lot of boundary. Kind of, you know, unifying a team all into one, you know, Agile doesn’t say you have to do that, like everybody can be in whatever team they want to be in and you just, you know, whatever. So, do you think most organizations, all organizations, like is the whole federal government headed for DevOps or 

Kevin Milner: Pockets or what do you think we’re going to see? I would say some form of it. We’re likely to see in the next 10 years, generally any, any software development shop perform like a, uh, a lot of, uh, at least mimicking, uh, DevOps. Uh, you know, I hate to use the term cargo cult programmer, but, uh, you know, there, there’s a lot of that sort of mentality. Yeah. Cargo cult. Is after World War two, they had a bunch of, uh, uh, you know, they had an army air bases out in, um, you know, the Pacific islands and some of the Islanders got so used to having troops stationed there. Um, they, after the, after the war was over and the planes left, they would, um, they would build mock ups of airplanes, hoping to lure back the soldiers with their bars of chocolate. And so. That’s called, that was called a cargo colt. Uh, then they came up with the term cargo cold programming, which is where you sort of, you know, imitate what you see online and hope that that, that works. And that’s not the ideal situation. So, so you might see a lot of people that are At least trying in name to, to adapt, uh, agile methodology and dev ops, but if they don’t actually believe in it and, you know, really sort of live by it. 

Kevin Long: So I think what we’re going to see a lot of with the bigger agencies now, there, there are a lot of smaller agencies out there that, that honestly, looking at the layout of, Of upfront cost to put DevOps in place is going to be problematic, um, until you get someone like GSA, like 18F did with, with a lot of their sort of their, uh, stuff, maybe someone like GSA might start selling the service, but I think things like platform one out of DOD. Uh, or are going to start having, uh, DevOps service that they can sell to the, to the different components within themselves, within themselves. And so, uh, I think that, that we are, we really are going to see it, uh, because it, it is, uh, It reduces risk. It includes security earlier on as a core component of software development. It reduces human error, and it speeds time to release as things go. And Where the larger sort of Uber agencies can, you know, as they’re creating platform as a service and things like that, DevOps as a service, I think is going to end up becoming more and more of a thing, you know, go buy yourself tool chain as a service.

Adam McNair: Yeah, and I think one other thing that I would say will probably help it is. As opposed to 20 years ago, there it is so much more common to see agencies working together, to see shared services come out, to have to see as a service offerings, um, and also for federal employees to move from agency to agency and come out into the industry and then go back into government. And I think, uh, You know, there’s been a lot of times where I was involved in programs where there was a lot of stasis and everybody that was working on the program, contractors and federal had all been there for 25 years. And when you have that, there’s not really a good opportunity and that the perception of risk from something different, if you’ve never seen it in person. I can absolutely understanding them say, like to Milner, to your point, when something infinitely bad could happen, whether that’s weapon related, whether that’s no, no, you know, no, no checks get out to, to, to Americans, the food stamp program stops working, like whatever that would be, I can completely understand if you’ve, if you’ve never seen it work before, you’re like, well, cool. Somebody else can try it first, and even if they have tried it first, every agency’s requirements and architecture are unique enough that you can still say, well, it might have worked for them, but it doesn’t feel like it feels like it’s risky here. Whereas I think if you have enough people that have moved around to enough organizations, um, and you have forums like Act IAC, where you can, uh, go You know, we were just talking today. We’re going to be one of the sponsors of the ELC conference in Hershey in November and several of us will be there. You can go there and talk to a dozen different agencies and a dozen different contractors that are have implemented it all in one day. And do much easier research than you ever could have just kind of, you know, sitting in your, in your one agency as a, as a federal employee or as a contractor, uh, without exposure to it. But so I, I do think, you know, it’s certainly something. Our staff, when you, as we hire employees, everybody wants to work on this kind of stuff. I think being in, in, in leading edge technology environments is exciting for everybody. And I think, uh, for people that are, that are federal employees that want to be able to more efficiently get, Change and value generated for their mission. It’s exciting for them too. So, um, yeah, so it certainly sounds like it’s, uh, it’s going to continue. Well, uh, with that, uh, we’re up on time here.

Thank you for listening to the highlight cast. Uh, thanks Kevin. Thanks Kevin. And, uh, to keep up to date with the news and activities, follow us on LinkedIn. You can visit our website, highlighttech. com and you can tune in to our next episode. Thanks, everybody.

Kevin Long: Broadcasting from Fairfax, Virginia, you are now tuned in to the Highlight Cast with your hosts, Adam McNair and Kevin Long.

Adam McNair: Hello, welcome everybody to another Highlight Cast, uh, joined as usual by Kevin Long. Hey, Kevin. Adam, how’s it going? Good. Also joined with two guests this week with Ashley Nichols, who leads the corporate strategy and development here at Highlight. Hey, Ashley. Hello. And also, uh, Emily Scantlebury, who runs our BD operations, um, and supports, uh, Capture. Uh, Emily, how are you? 

Emilie Scantlebury: Hey, Adam. Hey, group. Doing well. Thanks. Thanks for having me. Great. 

Adam McNair: Great to see you. So. Our topic for today that we wanted to talk about, so we actually went to a real live conference, uh, which is, to my knowledge, I think it’s the first one that we’ve been to since, uh, March of 2020, is my, it’s my recollection. Um, because I know we talked about in one of the previous episodes, I think, uh, Kevin and I had taken our last couple corporate out of town trips really, as far as travel, but so this was a To the HEMS 2021 conference in Las Vegas, uh, HEMS 2020 was canceled, I guess. I think, you know, maybe some of the 21. But so the first question, how did the conference operate as far as, you know, kind of things are, you know, certainly different. I know, I think HEMS happened right on the, the, the cusp of, you know, masks on, masks off. Um, you know, that actually anything. Any kind of reactions from just what it’s like going back to a conference after all this is gone on for two years now?

Ashley Nichols: Yeah, it was definitely kind of weird, but you know, I think like HIMSS required everybody participating to be vaccinated, right? And you had to either show your card or use one of the new, uh, Um, Vax passport, uh, apps like a clear has one, for example, that’s free. Um, that stores your info. But I think that the fact that it was spread out over like three hotel and casinos, you know, kind of, it burst that bubble a little bit because you had to go through so many. folks. Um, I think that’s not usually the case when they have an Orlando at the convention center. I think that this year was kind of like, um, it was kind of like the Olympics, right? Where we kept calling the Olympics, the 2020 Olympics. There was a lot of signage that still was like from 2020 hymns. Like they pushed a lot of it forward. They held it. In Vegas in August, because I think they just wanted to get it done so they can get back on track for for 2022. It’s gonna be in the spring again back in Orlando. Um, but it was good. And people in Vegas, surprisingly, were very mass compliant. We didn’t see any dust ups or anything, as you might see, and sin city, or you might expect, but I felt like people were good and places were really. Pretty strict about having people mask and reminding them to remask and things like that. So, um, all in all, not bad. 

Adam McNair: Gotcha. And from, uh, him standpoint, so is it normally in Orlando? Is that the, their typical location? 

Ashley Nichols: I’m not sure it’s like always in Orlando, but it is definitely a heavy favorite for that. And that is where it will be again, March. Um, and it is then in the convention center. I think it’s been in New Orleans before too. Um, but I think Las Vegas was one of the first places really open to getting conferences going again. Um, and maybe it was able to accommodate their schedule. Nobody chooses to go to Vegas in August, really.

Adam McNair: Yeah, I did notice that. I know I, we had talked a little bit about. What events we think we might be going to and I know Emily and I had talked about one that is in Detroit in December, so yeah, that and Vegas in August are probably, I’m guessing somebody got a break on the conference costs to be able to make that happen. Vegas was crazy heatwave then too, right? Uh, 

Emilie Scantlebury: yeah. It was a hundred and five hundred and two, but it’s, you know, it’s a desert, a hundred and two, a hundred and five. So during the day, it’s, 

Kevin Long: so you only burst into flames after five minutes out in the, in the air instead of, 

Ashley Nichols: well, yeah. The even funnier thing is there was like, well, it’s a dry heat, but, uh, every, all the locals were complaining that it was unseasonably humid there while we were there. And we’re talking like 35%. So for us, that’s like nothing, but for a place that’s used to like zero humidity. They were so sweaty and uncomfortable. Like I felt bad. I was like, Oh wow, really? Okay. 

Emilie Scantlebury: But, you know, I was just going to say to Ashley’s point, it was, um, it was of course our first conference back and it was really intrigued to see how some of the logistics were going to run, like the check in process, because we did have to show that proof of vaccination. You had to make sure everybody was wearing a mask. the entire time and it was very smooth. So credit to the show organizers, you know, HIMSS is such a big presence across multiple industries or, you know, a number of people there. Um, and I was really pleasantly surprised at how smooth it was operating.

Adam McNair: Yeah, which does leave me, Emily, I was going to ask, what So for anybody that hasn’t been before, so HIMSS is kind of the premier health IT conference, but it’s, it’s commercially in government, but what, how would you summarize kind of the overall scope of the of the conference? 

Emilie Scantlebury: Great question, yeah, so it’s pretty, it’s pretty large. It’s Spans big pharma, um, individuals who run networks of hospitals, Uh, federal government, federal health I T. Um, and so the scope of the conference touches, you know, touches across that space, whether that’s looking at trends in the commercial space. Um, and I think that’s the one thing that’s really important in terms of really, um, you know, as we look at the, you know, in the health care space, looking at trends of emerging health care techniques, emerging health care, new tools and technologies like physical hardware, physical software, things of that nature, all the way to like, talking about covert response on the government side and how the government is allocating funds to, you know, to, to help. I’m going to be talking about how we’re going to respond to pandemics in the future. Um, so, you know, it was very vast, a number of breakout sessions, all happening concurrently. It’s really interesting. to be able to see all those different kind of flavors in the health IT space kind of come together and and find the commonalities across industries.

Adam McNair: Well, very cool. Yeah, it’s a conference. I’ve not been to before. I’ve typically as far as conferences. I think I err on the side. IAC or FC, a kind of government industry organization conferences, as opposed to, um, kind of focused line of business, uh, conferences, but I know a lot of people that have gone, I know the LinkedIn streams as everybody was out there, you know, a lot of, it felt like, you know, hundreds of posts a day from, uh, from people that were out there. So as far as. Major areas of discussion. Um, so Ashley, do you have like thoughts as to what really stuck out to you as far as major kind of conversation or themes to the, to the, 

Ashley Nichols: yeah, I’d say, you know, Emily and I stuck a lot to the ones that were based around, you know, Federal health care, right? So they had federal, they had a federal health care pavilion. Um, and so folks who were sort of focused on that, um, and then the conference, the mini breakout rooms around that had a lot of things focused, um, on issues within sort of federal health care. So you had VA, DHA, sorry, DHA, um, HHS folks, a lot were the speakers there, or people who support them from, from GovCon. So I think a lot of our stuff was focused there. Obviously, there was a ton of talk about COVID and the ways that it has changed health care, the ways that it has changed technology to provide health care, um, and, and some innovations around there that I think Emily will talk about one that we found super intriguing. In, in a minute. Um, there was a lot of talk about sort of usability and viability in this intersection of creating tools that are functional for the industry, but also more user friendly and intuitive there, you know, and, and that’s on a broader scale, that’s not just federally focused, but, um, as va and DOD often remind us they’re, you know, the biggest healthcare provider in the country with the services they provide for veterans. So, um. They have to be very customer focused in a lot of ways too. And a lot of systems are focused very much on provider needs and not necessarily user needs, but even on the provider side, not necessarily really understanding what it is the nurses in these hospitals are doing or the providers are actually doing and how they need to use the system. So, um, I saw, you know, a number of things about modernization and design. You know, in discussion around the I. T. And what else, Emily? We heard a 

Emilie Scantlebury: lot about some emerging tech and, um, you know, biometrics information, how biomet the rise of biometrics is not only helping secure a lot of the new softwares and, um, user interfaces out there, but it’s also helping improve the usability for those users. So, um, kind of looking forward into the future, how biometrics might change, um, the way in which we’re developing software, uh, and the way in which we’re kind of as end users, even in our civilian lives, um, using that software. We saw that a lot. 

Ashley Nichols: I think, and there was a lot about, obviously data, um, electronic health records, uh, records portability. Which is equally as applicable within, you know, sort of the federal spaces as it is with, uh, commercial spaces, um, and then security around that data. This is my, my new favorite buzzword that I’m here to learn more about this homomorphic encryption, which is really about securing large amounts of, of data in the cloud. That’s really specific to. Uh, not specific, but very applicable, obviously, to the health care industry, but it also allows you to run a lot of processes on that data or maybe extract useful information from that data without decrypting it. So you never use the security features while still being able to run process on it. That’s the big thing there. And interestingly. We recently did a survey at ACT IAC of government IT leaders and people supporting IT leaders to figure out which emerging technologies were going to be, uh, super important to them over the next five years. And this homomorphic encryption was at the top of that list as well. So I went from, you know, not knowing about it three months ago to now repeatedly hearing it, hearing about it and seeing it, you know. As you know, really kind of an emerging technology focus for for some of our government customers, 

Adam McNair: you know, and I think protecting it that kind of information. Um, and I think back, I was involved at 1 point in, uh, training for HIPAA implementation at the point where HIPAA kind of started and that was pretty cloud. So, at that point, it was, you know, Kind of simple. You just said, look, either this system holds PII or it doesn’t, and if it does, we just note that, and you have to get an extra level of approval if you’re going to have any data exchange with that system. But they were physical systems, and you could say, well, we know where it’s stored, because like, you could point to the box and say what’s right there. And, uh, as as that becomes cloud driven, you know, there’s so many things that that cloud has revolutionized so many things and data exchange is so much different and processing and everything else. But that kind of security is is so much more complicated. You know, we see that with with C. U. I. Uh, we see that with, with PII, um, once, once you get information and it’s kind of just everywhere and then replicates the places and all of that, there’s a lot of complexity that comes into that.

Ashley Nichols: And I think that this aims to, um, remove the necessity for that replication, right, which is that you’d have like one version that’s complete with PII, then you’d have one that was stripped out or slightly different. For another system to use and another system to use, if you don’t ever have to unencrypt the data to run the business processes that you need to from a central location, then you can, I guess, have a more singular data source or data lake of all that information and run multiple processes out of it.

Kevin Long: And it’ll be so much faster not having to unencrypt the data to do the work on it and then just have the response. The data that is worked on with the encrypted data. Also be remaining encrypted. So that work product of that remains encrypted and it’s all there. And it’s so much more than just encrypted in transit, encrypted at rest. Now it’s. 

Ashley Nichols: Yeah. So I would expect to see more of this in, in things. Wouldn’t be surprised if we saw something, if this would pop up, say at the Act IAC, you know, conference coming up in the fall, that kind of stuff. I think we’re going to see a little bit more, um, about that. I, I mean, I’m, I’m super interested in, especially as we start talking about, you know, larger data management issues and. And, you know, the theory, the concept of creating data lakes and all of that stuff, uh, I think we’re going to see a lot more of it. 

Adam McNair: So an interesting topic, um, you know, we talk about AI a lot and I think a lot of these topics, you know, I’ve seen before, whether it be the, um, The Gartner Magic Quadrant, they also have a hype cycle of where things are. If nobody’s ever looked at that before, their hype cycle is where something is from the standpoint of being talked about to actually being understood, to being In production to where it really is kind of a tested technology, and I think a I was there a while ago. Like I, you know, at the point where people were talking about cloud, they didn’t really know what it was. They just they heard that it was good. And so they wanted some. Um, and I think a I was there a couple of years ago. We had conversations as we would be solutioning deals or we’re talking about programs. Where AI was on the roadmap, but it didn’t necessarily have a definition to it. Um, I have seen, you know, and I think this ties into PII. I will say one of the things that that we’ve done internally is we now use an AI driven tool that that monitors our enterprise for PII. So even after you’ve had a policy established that says, Hey, don’t, don’t send this in an unencrypted manner, don’t email this out, et cetera. I mean, you can tell everybody what to do, but you know, when, when you, anytime you see the grass worn because people don’t want to walk the sidewalk, you know that people are going to do what they’re going to do at some levels. So we’ve, we’ve implemented AI tools so that we’re constantly looking for things people might be doing that are. Or a risk from A-A-P-I-I or C. So I do think there’s an intersection of AI with that. But I’m curious, did you guys have, I, I know that there were, there was AI on the agenda. I’m, I’m wondering what kinds of, you know, how much of it, what was talked about and, and what areas you, you know, you, you heard people discussing AI at himss?

Emilie Scantlebury: Yeah, so we, we heard a lot of ai and that’s to be expected. I feel, you know, AI has. been to your point, Adam talked about for a couple of years now. And I think as an industry at large, even outside the federal sector, it’s something that we are all learning on what that actually looks like from an implementation, um, and execution standpoint. Uh, the large kind of message that I heard, especially on the first day during one of the CIO panels was how our understanding of AI, um, is the of changing a bit, especially with the rise of global pandemics, the rise of natural disasters. Um, you know, when, when these events occur, it’s feeding these algorithms that have been driving AI for that AI bot for years. It’s kind of skewing their data, and it’s changing the way that that the AI is thinking, changing the way that they’re ingesting and behaving as a result of that data ingestion. So, um, it’s kind of begging the question of what new role does human data cleansing play inside of AI and, and the expansion of that, I think. You know, a big takeaway that I really heard frequently was it’s going to be a bigger footprint than what we had initially anticipated as an industry where we thought, you know, hey, we can build these algorithms. We can create these massive data lakes, um, feed it into the AI and kind of let it do its thing. You know, it’s going to require much more of a human footprint. So it was interesting to really listen in, uh, because of course COVID was a big theme on, on how that, how that’s kind of skewing, um, some of that.

Adam McNair: Yeah, I, I think it’s, that’s where for me, the conversations about how much can be automated, tuning AI and having human engagement, it usually is not just one or the other. Uh, there’s usually some sort of, you need to have kind of a well defined charter for what you’re trying to accomplish and then you can decide how much of it is technology and how much of it is people, uh, which I think ties into something else that when I’ve supported health IT, it’s mostly been health and human services. hrsa, NIH, uh, those kinds of organizations, uh, a a little bit, very little on the, like the DHA or or VA side. I’ve been, you know, at, so back when I was, you know, CACI, years back, uh, they had quite a bit of VA work and so I would talk to those teams. But as far as direct support, it was always the, kinda the HHS side of the world. Um. And there were different parts of the government, at least from my experience, where some agencies, when they were tackling a technology problem, it was a technology lead supported by the kind of medical health science community, and then in others, it was the reverse. It was the mission science. Your customer was a doctor. Your customer was a research scientist, and, um, And technology was very much just an enabler. Uh, I’m interested, you know, whoever wants to, to, to jump in first, perspective of the technology and, and health balance. And was this an IT conference with, with medical aspects? Was it a health conference with IT or is it more integrated than that? Neither of you have thoughts around that angle?

Emilie Scantlebury: I think, you know, it, the message was it’s truly a mix, um, where we are in a boom right now of information technology expansion from physical tools that are getting better every year to AI to software that’s getting stronger and it’s getting integrated more and more into our lives. daily. Um, I think the big message that we heard was it’s not a bandaid where we have challenges as an industry to better serve your end users, whether those are doctors or that’s a network of hospitals, or that’s understanding and visualizing data trends to better prepare for the next pandemic. A software only takes you so far. Um, you know, it really is driven by people and whether or not, um, your organizations, whether that’s DHA or highlight, um, whether your organization is equipped from a process standpoint and from a people standpoint to really implement and leverage and, and, um, capitalize on, on that new information technology. So it was definitely a mix of both. We heard some really cool new it trends, but we also heard some of the. Challenges like this AI piece where, hey, there needs to be more people push, more human push, more, um, you know, support human support behind it. So both would be my takeaway. Ashley, did you have any thoughts?

Ashley Nichols: Yeah, I agree. I think, I mean, there were some, I mean, like I said, there were literally like hundreds of sessions. And so some of them are very much focused on a type of technology or a type of thinking or innovating within the federal IT workspace. Some of them are really specific. So like, you know, a lot of things around again, like I said, the EHR came up a ton, even just by casual mentioned in everything. And then, but then there were also a lot of ones about how providers are leveraging existing technology to provide services in a new way. There was, you know, there was a lot of focus on some mental, not a lot of focus, but I saw several around. Leveraging social media and technology platforms for providing, uh, mental healthcare in a pandemic and even post pandemic thing, right? You have a lot of people who are anxious and stressed and they’re seeking out these services and, um, you know, trying to find a more effective way to reach out to this constituency. Um, there was one about someone was using TikTok, um, to, to put out information about like, Pandemic mental health care, you know what I mean? Like taking care of yourself in this or whatever, but so, so it was like the hardcore technology. And then I am a provider of health services to people. And this is how I use technology and leverage some of these tools and things that are out there. Um, but always, and then, but especially during this time, and then in a lot of cases, how it’s somewhat permanently shifted the way they will continue to provide some services, um, pandemic not withstanding.

Adam McNair: You know, I think as I’ve been to some conferences, you know, like this, or just met with customers about, you know, mission, I think that’s one of the areas that I, that when we, when we engage on programs, I think it’s one of the reasons why we’re always excited to work on, you know, what we kind of call mission area. Technology solutions. It’s because kind of being able to add in some understanding of what the actual work domain is. Um, you know, I think about having worked on consular systems for State Department and you have conversations about, well, Out of 270 locations, you know, some of them have bandwidth like you’d be sitting across the street, and some of them are low grade dial up connectivity that, and of course I’m sure some of that has changed now, but when I was working on it, you know, low grade dial up that’s not always available all the time. Um, you know, I think I’ve, I’ve been involved in things like that. I’ve, I’ve had conversations with, um, you know, when you look at first responder, whether that be, you know, DHS, um, they’re showing up on site that how they don’t know when they’re going to have access to power. They don’t know when they’re going to have access to Wi Fi. Um, also some of the, the law enforcement was like, have you ever tried to wear a tactical helmet? And, and tactical glove and type on a, on a tablet, um, and just some, some things like that, that are real life use cases that they sound like, oh, okay, well, we’ll just go ahead and note that down. But it kind of informs everything that you’re doing. I mean, it, it, the entire approach has to be shaped around, and The specifics of how it’s going to be used. Um, you know, one of the kind of integrated technology and health topics that I’ve heard, you know, around federal programs for a long time is the concept of telemedicine. I know. Just so many things, whether it’s disaster recovery, and they go, like, we can’t get a bunch of doctors there, but if we could get an x ray machine there, we could have somebody read an x ray and, you know, almost anywhere. And a lot of commercial health care providers have done that. I mean, I don’t know if you guys have done this, but, um, You know, our company healthcare has a telemedicine feature and, uh, during COVID at some point where, you know, one of us needed something at home from a healthcare standpoint, we’re like, Oh, well, I guess we don’t want to go to the doctor. We did the telehealth thing. And they’re like, yeah, that’s probably this. And we’ll, um, you know, get your prescription or something. So you don’t have to actually go to the doctor, which at least for us was never a big deal before. In the, in the height of the COVID standpoint, where you’re like, I don’t think we want to go sit in a doctor’s office right now. Um, so I I’ve seen that on the commercial side, how much telemedicine type of, of conversation was there at, at HIMSS? 

Ashley Nichols: Yeah, Emily, go ahead and tell them about the, that army program that we saw. That was so cool. 

Emilie Scantlebury: Yeah, I would love to. This was one of my favorite sessions that we were able to sit in. And this was hosted at the federal health. pavilion. Um, so it was really interesting to learn about. It was a program called net sen, N E T C N N. Um, and it was provided by DHA, but funded by parts of HHS. And essentially. To like explain like I’m five, it’s a sort of like FaceTime for doctors where, um, you know, these rural communities that may only have one or two doctors, one or two surgeons, um, in their networks of hospitals that are, you know, in a radius of 100, 150 miles, whatever it may be, who were completely overwhelmed by, you know, COVID. Patients needing care immediately, um, and needing some pretty intense care were able to work with DHA at no cost to the hospital, um, and essentially, like, order doctor support. They were able to completely brief on their patients. It’s all through just a 4G network. They didn’t even need high connectivity, which is a big problem, um, for rural communities of course. So low connectivity, we’re able to just hop on, you know, talk through, chat through what’s happening with their patients and, and get that, um, support on demand. Um, it really helped impact these, um, smaller hospitals and the number of patients that they were able to treat, um, especially as they were, you know, especially as they were becoming overwhelmed with COVID patients. So it was really cool to hear how telemedicine, which has started, you know, only a couple of years ago, was able to impact, um, something that none of us could have seen, which is that response to COVID. So, yeah. I really like that session. Um, 

Ashley Nichols: it was interesting that they said that they worked with a couple of, uh, specific partners. I think Deloitte was one of them and another company, and these were the physician providers, right? And they provided these essentially on call physicians, um, that, you know, could be used for just these understaffed facilities, which obviously would have applicability as we continue to face doctor shortages across the country, especially in rural areas, um, you know, could change. You know, the paradigm shift there about the quality of care that it will provide. You know, one of, someone else’s first question was, um, do you see this, you know, being com, you know, a commercial offering? And he’s like, well, no, we’re, we’re DHA, we’re DHA, so whatever. But I wanted to say, I bet your boots, those companies that are providing these doctors for you already have a commercial offering to do the same thing, you know, to contract out with some of these clinics and hospitals. Um, so. But yeah, it was definitely one of the cooler ones and just to see how that program came together inside the federal government, you know, facilitated by DHA, funded by HHS, you know, made available just to the, to the, to the areas in need across the country. 

Adam McNair: Yeah, that’s very interesting. And I, it was, it was a while ago, but at one point I was involved in a HRSA program that out of their rural health organization that did focus groups around the country. So HRSA was funding. focus groups that were in person focus groups around the country to understand gaps in health coverage because, you know, data is one thing and you can go and say, hey, I only have one data per X number of people in this county or, you know, those kinds of stats. But when you actually sit down with them and say, you know, why don’t you, you know, If you haven’t had a checkup, why didn’t you go get one? And they say, well, actually, it’s because the one doctor that we do have is all the way on the other side of the county. So it really isn’t an even distribution where they’re in the middle. So it’s a two hour drive for me to go get there. And they’re only open during hours where I’d have to take an entire day off of work. And I only get so much time off, or I’m paid hourly, etc. So I think it’s, It’s really neat to see out times like that where the federal government is able to understand requirements of, because this country is really diverse. I mean, when we work on on systems for the government, one of the things that I always think is so interesting is their requirements are unique. It’s so many times because. Sometimes it’s geographic distribution, global distribution, the encryption and security requirements are different, which could be interesting. And I, I’ve seen working on disconnected user scenarios where they said, look, we don’t know how often these people are going to be able to be attached and. That’s kind of easy to do now, but it didn’t used to be. And so I think a lot of those kind of technology use cases, uh, the federal government at times is a forcing function to say that they have a requirement that they’re willing to pay to have fulfilled because it may not be commercially viable for. A commercial company to decide they want to offer uniform coverage across the country, but when the government prioritizes it and is willing to, you know, put funding behind it, it’s, it’s interesting to see, um, to see what, what they can come up with. So very neat kind of scenario, encouraging when you can hear something like that, where the government’s able to provide something that’s, that’s helpful across the country. Um, So as far as the conference, I know you said that there were tons of sessions and Um, were there specific speakers or anything that really stuck out to you as far as, Hey, this was great. It was, it was enlightening. Or, um, you know, there was some aspect of it. It was, it was compelling that it still sticks in your head, you know, several weeks after the conference. Now,

Ashley Nichols: actually, one of the last sessions that we went to. Was the CXO, uh, conversation. And it was the former CIO from VA, uh, James Freer. Um, and then Don Rucker, who’s the former, um, ONC national coordinator for IT. And I had to actually look up, um, ONC, but it’s in big HHS. It’s the office of the national coordinator, but I guess they have different coordinators, national coordinators around health. He, you know, so basically he was like the CIO. They’re, uh, sort of advising the technical direction for HHS and, you know, they talked a lot about sort of the, the modernization and the things that they were trying to do in the agencies when they were there, you know, VA was specially has, we all know how the visibility that VA has been under. the last several years. Um, and technology plays a not inconsequential part in helping create some of the improvements around services for the veterans. Um, but it was how much they didn’t just talk about technology so much as they talked about like organizational change and culture and creating the organizations to provide these services. Um, so that the would better align with the mission that they were there to provide. Um, so, and then, you know, and, and then one of them, actually, I think it was Freer from VA recommended this book, can’t remember what it’s called, but it was written by this woman from Gartner. And basically it was like the Machiavellian approach to being a CIO. Um, and, but the whole point was, is that people consider a CIO in a lot of ways, a very passive person or, um, you know, uh, not. Not a difference maker within the organization. And it really advocated for how that is not true and how to be sort of the lion in the CIO organization. And looking into that book a little bit after he recommended, he said it was like the best thing for for a CIO to ever read. It made me sort of understand where he was coming from much more and sort of, um, you know, really trying to be a force for change through the it to meet the mission requirements within there. But a lot of it too was about, um, creating the right team and creating the right culture and. Um, reinforcing, um, the notion of what mission they were there to serve was. So, it, it was just as much about, I think, organization and people as it was technology, to Emily’s point earlier. 

Adam McNair: Yeah, it’s, it’s, it’s an interesting conversation to have. And I, I think any, whether it’s health IT or any, any space where you’ve got technology leadership outside of the program organization, Um, I mean, I’ve, I’ve, I’ve seen CIO and CTO organizations that were very much just recommendation driven. Um, and they would try to suggest a target architecture, but the people that had programmatic funds could still spend them as they wanted. Uh, sometimes they were inserted into the procurement workflow, and then sometimes they drove everything. Uh, I mean, I’ve, I’ve been a part of, Having an agency decide that they were going to consolidate all IT spending under CIO, and now they spend the money, so it doesn’t matter that you said you really liked, you know, low code platform, whatever. If that’s not on the baseline, you’re not going to use it. And, um, You know, so I, I think there’s like anything else, every agency is different. There’s no right answer for the way that should always be. And, uh, I think when you get down to the people in the role, there are probably personality fits that are team builders and, and facilitators and would, uh, really thrive in an organization where even though they don’t control any of the funding, they would, they would be kind of organizationally change focused and move forward, and then there’s others that would probably be, you know, uh, from a. A program management kind of standpoint would be more effective just owning all the money and saying, look, you give me your requirements. I’ll build all your systems. And then you let me know if you need it. Need something worked on. Um, I think 

Ashley Nichols: the thing about, um, the VA guy. is that he presumably was there during, you know, the last five, seven years where there’s been that huge focus on, uh, veterans not being able to get appointments, no availability, their VA centers, and then sort of no visibility on how to help these folks, people waiting six months for appointments. And those are the kinds of problems that in large part have been solved by technology, right? Unifying scheduling capabilities. So you can create visibility into if this person can’t be seen here, where can they be seen? And, and how to flex those resources. And so, uh, you know, I think, you know, obviously from a sort of how they provide healthcare is one thing that changes, but I think there was a lot of technology changes that went in to VA is more high visibility challenges, um, in the last couple of years. And so hearing, you know, him talk a little bit about his philosophy as a CIO, knowing that. That’s when he was there. It was pretty interesting. Oh, yeah. The wolf in CIO’s clothing is what the book is called. Emily just reminded me. I did download it on the audio book. I haven’t finished it yet.

Emilie Scantlebury: Very cool cover as well. It’s enticing.

Adam McNair: So there’s one other thing I have to ask about. So as you guys were, you know, returning from the conference. I got a video texted to me of a robot. What was the deal with the robot at the con? Because here’s the thing. Every now and then I’ve been to conferences where they try to have something cool that kind of draws you in or whatever. I’ve not been to CES. I’ve never made that leap to say like, oh, I should go see that. But, you know, little stuff like, oh, look, here we have a drone or here we have whatever. There was a robot. What was the deal with the robot?

Emilie Scantlebury: Um, we’re best friends now. We’re pen pals. No, I’m kidding. 

Ashley Nichols: The video is posted on our LinkedIn. For those of you who are interested in seeing what it is, I honestly cannot tell you what company that robot was repping. Like we immediately saw it and I was like, Emily, 

Emilie Scantlebury: you have to talk to it. It was tunnel vision. We, we locked eyes. And, you know, robot eyes to human eyes. And I was like, I have to shake this robot’s hand. Walked up and we had a conversation. It, it can, it listens. It didn’t hear me one time ’cause it, you know, we’re in the conference floor. And so it said, oh, I’m sorry, I can’t hear you. And it turned its head where the speaker was to like, come in and lean in and listen to me. Um, it was. like having a conversation pretty much with a person. It was honestly wild. I have seen, when I went to Afsia Rocky Mountain, which was two years ago now, I had seen the robot dogs before, but this was my first seeing like a more of a person. If you will, 

Ashley Nichols: he was so small. I just wanted to call him a robot child. Um, but it was, of course, Emily was like, I have to meet this robot. And I of course was like, well, then I have to film this. And she said, can I shake your hand? And he said, not too tight. Yep.

Adam McNair: Wow. It was an impressively fluid interaction from the video that I saw. I mean, the thing initially when we showed it, it looked a lot like, if anybody has seen like the old, like 1970s Buck Rogers TV show, there’s a little robot named Twiggy. It looked a lot like that. Yeah. Except, I think that thing just had a speaker in it that some, that a human spoke through as opposed to, this was a little kind of, I don’t know, how big is it, like, was it like kid sized? Is that approximately how big a thing was? 

Ashley Nichols: Yeah, it’s probably four feet tall. Yeah, I’d say four and a half feet tall. Yeah, that sounds about right. I mean, it could move around, it could roll around, like it definitely adjusted itself to like pivoted to face us as Emily was talking to him. And interestingly, as we walked away, like we were probably 50 feet, 100 feet away, and he was still watching Emily. Like, like trained on Emily, I guess, until someone else comes to interact with it. It’s just trained on that subject. Um, but yeah, it was, it was a trip and it was, it was a, it was a fun thing. And uh, again, it’s on our LinkedIn. Everyone check it out. 

Emilie Scantlebury: Yeah. Shameless plug. Go check out our LinkedIn. You’ll see Shameless plug. Yeah. The best video from him. So it, it was really cool. It was, 

Ashley Nichols: you’ll, you’ll notice at the end. Um, Emily’s eyes are kind of like saucers, uh, based on the interaction itself. You know, a little bit of like amazement, maybe a little bit of fear. I’m not sure, but it was definitely, it was definitely, uh, funny for sure. 

Emilie Scantlebury: Yes, it was a mix of emotions. And if you all could see my eyes right now, they’d be the same.

Every time I think about the robot, just.

Adam McNair: Very cool. Well, thank you guys. I mean, I think it’s, it’s super helpful to hear kind of the experience of going to a conference like that. And, um, especially these multi day conferences. I think now that coven is is is a thing. Uh, the decision process is even more complicated. If you’re going to go to 1 of these conferences, because you don’t know exactly what to expect. You know, is it still going to be a feel like it is a reasonably beneficial interaction going to this conference or are you just there and it’s segmented and it doesn’t feel like it was helpful because it was so compartmentalized or whatever. Um, but it does. It sounds like there was a lot of good content. Uh, the question I guess I’d have to as we as we wrap up here is so hymns is coming up again. In the spring, is that the next, the next iteration? Yeah. Yeah. So do you guys officially recommend it? Like, is this, is this, you feel like this was a good use of, you know, three days? 

Ashley Nichols: I think that for this one, it was a good learning experience for us about how to most effectively participate in HEMS going forward. I think that we, Yeah. I think from a participation standpoint, the networking opportunities are good, visibility into what different agencies are doing is good. Um, even if it’s stuff that we don’t specifically do, having an understanding of where that segment of government health is going and looking to, um, is always good from a situational awareness standpoint. So I think it just informed us on how to. Make the most of future hymns engagement. 

Emilie Scantlebury: I was going to agree with Ashley. You know, definitely for anybody going into hymns, if you have never been, it is probably the largest show I personally have been to in my career. Yeah. Um, and as such, it’s not something that you can go into kind of. And float around, you know, really look at that schedule. Really make your plan. Ashley and I had pre picked a couple of our sessions, and I think that’s why we were able to take some of those takeaways out. We did hear from others like, I don’t even know where to start. So they provide a lot of good materials leading up to the conference. So definitely closely review those as you guys are preparing. So yeah, I think it would go again for sure. 

Adam McNair: Great. Yeah. I, I do think that when they have some kind of either a domain or a Some kind of a focus, it makes it easier. I’ve, I’ve gone a couple of times. I don’t know if Fosse is still a thing, but Fosse used to be like just the, the giant federal contractor event. And I went once or twice and I was like, you know, if you happen to sell, you know, a better kind of, of waterproof boot or a, Helicopter maintenance app or whatever. I can understand going and trying to roll out your product or get people’s attention, but as a general kind of service solution contractor, other than just stopping by to see people or network a little bit or whatever, uh, it was a bit overwhelming and kind of just, you know, not sure what to do. focused enough where I really felt like I got tremendous value from it, but, um, him sounds, sounds solid. So I, I mean, it feels, it sounds like we’re probably going to have, have more people going in the future, uh, than less. And, um, uh, seems like as they move it around, um, you know, as you mentioned, uh, one consolidated location is always nice for a conference that you don’t have to be, uh, you know, strung around or taking shuttle buses or, or whatever. Well, great. Well, thank you. I hope everybody, um, Has has enjoyed the kind of general conversation around the, the hymns 2021, uh, we’ll probably do this as we, as we go to major conferences, uh, act I acts, uh, imagination, I believe is what they, what they refer to now is a, um, is a. Big industry, government industry conference, um, and we’ll probably talk about that as we have some of these other ones that are, that are booked. We will certainly, uh, uh, speak about those. Actually just mentioned, uh, That she and I attended a conference a couple of years ago in, uh, in San Francisco. That was Sim Tech. It was a semantic modeling technology conference that because we had, we’re doing a, a pilot program at our company, uh, we got invited to come to. And that was probably also an example of something that was. Really, really focused around the technology area that when, when people were interested in that technology, that was definitely a place to, uh, a place to be. But I don’t know that we, um, I don’t know how deeply we fit into the, that, that overall community. Was that, is that your recollection? Actually, 

Ashley Nichols: it was. Well, we were there, though, with like a partner company. It’s your point about why you go there because you have something to rule out or show and they, Yeah. They did right. They had a low code solution. They were, you know, based out of the Netherlands. Um, and so they really belong there and us being sort of their federal partner. We tagged along and did some boothing to talk to some federal customers and that kind of stuff. 

Adam McNair: Absolutely. Yeah, that was, so that was SimTech back, um, a few years back. Uh, so, and just as some notes for other things that we will be attending. So you could probably also look for, um, an episode as a recap. We’re going to be going to DOTUS, uh, later this winter. Uh, there’s an AWS. Uh, conference coming up and there’s also tentatively, I believe, a, uh, uh, a software factory conference. That’s the one that’s supposed to be in Detroit in December that, uh, I think we, we may be going to. Um, I know I’m really excited about, about the weather for that, but, um, we will let you know which ones we’re going to be, uh, attending. Uh, you can also, uh, keep up on our, uh, Our activities like that, the, the news link on our website, highlight tech. com or our LinkedIn feed is always a really good source, uh, highlight technologies, the, the LinkedIn feed for where we are and who’s doing what inside of the company. So our next episode, we are going to go back into our, uh, deeper dive of DevSecOps with some of the technology notes and, uh, Explaining some of the intricacies of what certainly sounds really, really intricate, but seems like it operates like a well oiled machine when the right people are doing it. So, uh, we will get back to that, but, um, that will conclude today. So thank you to, to Kevin, to Ashley, to Emily. Uh, thanks everybody very much for listening and we will talk to you on the next Highlight Cast. 

The views and opinions expressed in this episode are those of the hosts and do not necessarily reflect Highlight Technologies and or any agency of the U. S. government.