 Welcome, former military, so starting exactly on time was really, really important to me. And making people wait as well. So I know it's 5.25, and when I submitted a proposal, I thought there was zero chance it was going to get picked up. And I think what they do is they make a long list, and then they cut a line where people don't get to present anymore. And then if you're right above the line, you get Wednesday at 5.25pm. Because I think most people would rather be at the bar, so I typically am by 5pm. So our CEO is here somewhere, he's hosting a party con tonight, so we'll make it up to you if you want that drink back. So before we introduce ourselves, I want to just make a couple of comments about the intent. So everybody in this room, if you're here, is impacted by the public sector, whether it's how you get energy to your house, national defense purposes, healthcare, so every single one of you are impacted by those communities. And those communities either use the CNCF open source projects or should be. But the question I have for everybody is who's actually fully satisfied by the public services they get that are regulated by the government? Probably, just Camden, Katie. Probably nobody is the answer. So the question I have is why is that area so far behind in adopting modern technology and the innovation that happens in the rest of the community? So this talk is really about what the problems are, some misadventures and adventures, and then really more of a call to action to build a bridge between those communities. It's something I'm deeply passionate about, I'll share a little bit of my story here in a little bit. But that's kind of the entire intent, so if you wanted to learn about Kubernetes today, you're in the wrong talk. You're going to learn about why the public sector needs the best brains to think about their issues. So I'm Austin Bryan, previous to my role at Defense Unicorns where I've been for about 18 months. I served almost 12 years active duty Air Force with several people that are actually in this room today, which is encouraging to see. Through that time, I was a software engineer by trade and then surprised when you wash into the military, you write zero software. And they quickly make you a technical manager of sorts or help manage and oversee other people who are writing software, which is an interesting thing to jump directly into. I took a short stence doing in the operational side of the Air Force, so not acquiring and helping build systems, but actually operating them for mission purposes, and I'll get into that here in a little bit. And then I went back to kind of the software acquisition side of the world, and that doesn't mean mergers and acquisitions, that means like acquiring systems that other people build. It's kind of a little bit different lingo in the government side. But towards that time, my last assignment was San Antonio. I had the opportunity to go to a program that was standing up a platform. I had been spending my time working operations, hadn't worked software in at least four years, and I had to learn what Kubernetes and GitOps was. My team would probably argue I still don't know what those things are. But anyways, through that process, I helped stand up. There's this word called software factory in the DOD space, the department defense space or government space. It's really like internal developer platforms or secure platforms that a lot of the bigger companies are also building these days. Basically, how do you go from source code to production as efficiently and as securely as possible? A big issue in the government space, which we'll spend a lot of time talking about. Through that journey, I helped start an organization called Level Up in San Antonio. I heard just today actually they dropped that name brand, but they're still doing the work, which makes me sad a little bit inside. But after that, I met a group of people that were doing similar things, and I helped start a program called Platform One, which is still alive and well today. Actually, this is a big community of people from Platform One, so if you were along that ride and journey, there's a lot of your friends in the audience today, which is really cool to see. And now I'm at Defense Unicorns doing something very similar. Yeah, thanks, Austin. So that's how I know Austin and why we even are friends and compadres and making software better for the public sector. But my role to where I am all starts with my almost 19 years ago experience of joining the public sector. I have always been a civilian. You can cast those stones if you would like. I'm kind of part of the problem, but also part of the solution, which is why I'm at Platform One. So you'll see the first seal there, the public sector is really into these logos and identifying ourselves in that fashion. I started an agency called the Defense Contract Management Agency. So back to what Austin's talking about, the acquiring of software, the acquisitions of software and seeing that embedded into weapons systems. I've been a part of a lot of that initially through that period, seeing these big five traditional defense contractors doing older models and waterfall processes and basically shipping out products and weapons systems to our men and women, our kids out there, and giving them stuff that sucks. That's basically what it comes down to. So that's my why. That's my call to fame of why I do what I do. But it also led me to an opportunity, went and served our army out in Europe and supported some of the IT service delivery out there in the European continent and the African continent and helped try and nudge the needle in one direction. We'll talk about why that one tick of a nudge takes about five years. I was how much time I was out there. But that was monumental in and of itself just because the government is traditionally slow on purpose and you should really understand a lot of this. But that ultimately will lead me to platform one because we don't do things slow. We actually do things a lot faster than normal, maybe not quite as fast as industry. We would like to have that call to action today for you in the room. If you really care about making public sector better, which again Austin talked about, every one of you is affected by that, including myself, come be a part of that process. So what is our goal today? It's always good to tell you what we're trying to educate and inspire you to listen and understand as we walk you through the travails and the scar tissue that we have. So three big topics today. We want to first learn some of the challenges faced by the public sector. We're using those words on purpose because it's not just about the space that we both work in. We're talking about the state levels, the local levels, the community levels that all of you are a part of and where you can fit in and be a part of making things better. That's the beauty of open source and CNCF organizations and KubeCon itself, like be a part of the change that you want to see. Secondly, collaborate, you know, segueing directly to that. There's opportunities to collaborate not only amongst yourselves but partner with industry and government specifically on those solutions. And then finally, we want to share that vision for how you can help and actually have that called action. So Austin's going to tell you a little bit about what the public sector actually is. Yeah, so Stephen mentioned we both come from a defense background, but it's more than that. And at Defense Unicorns, I've had a chance to see some of the other regulated markets work. But just to cover what is public sector when we say that word, first is defense. So, you know, making sure that we continue to have the values and expectations of freedom and liberty that we enjoy here in the United States. The second is any type of government. That could be, you know, county, city, state, federal, anything that regulates as a regulatory body, energy. I lived through a four day power outage when I was in San Antonio and it became straight hunger games. And if you've been without power, you know how important it is to have. And then when you don't have it, what happens to people? They really start to go crazy. Finances, which we can all appreciate, like you want your money backed by the FDIC and you want your transactions to go through as you expected. You still want there to be, you know, more than the number zero in your bank accounts, I'm sure. And then lastly, healthcare. We all file health claims that's all regulated by CMS and other parts of the health and human services part of the government. So every single one of us, like I said, are impacted by these services and we all have a vested interest in them being hopefully as good as industry can move. So I like to start with a quick story time. I wasn't aware that half the people here were going to put on fake mustaches, but this is a picture of me that floats around our company Slack that I took as a joke in 2018. But as you can see, my beautiful mustache that came in from 2014 through 2018, I was working space operations at Buckley Air Force Base. I think it's now called a space base. The operational floor looks not as interesting as this interesting cubicle picture. They pretended to look because you can't take pictures with the actual operational floor is. But for those that don't know, a lot of military operations or even government operations happen in what they call classified environments. You can't bring your cell phone in. There's no windows. If you like asbestos, most of the buildings have them. You spend, you know, I was actually working 12-hour shifts. So sometimes you would actually go four days of days, 7am to 7pm. Then you would take three days off and then do four days of nights. And so if you think that's good for your sleep cycle, it's not. Your cognitive ability goes down quickly. But I learned a lot in that experiment. So when I was at, it was called the second space warning squadron. They operate a constellation of satellites. None of this is from them. This is pictures from the internet. So don't worry. I'm not giving away anything secret. Anyways, they have a constellation of satellites. If you didn't know, they observe the Earth. Every square inch of the Earth is 24-7, 365. And they're basically thermal cameras behind a telescope. And they're looking for heat signatures. Big heat signatures that move really fast across the globe are missiles. That's right. It's not a quiz. All right. So it's very important to know when we have troops or allies or people we care about anywhere in the world when something is moving there and it's going to land somewhere else. We can predict that and tell people and get them out of harm's way. It's especially important if somebody is launching a missile from one country or a submarine towards the United States, which is obviously where the vested interest is. So this is a high-pressure job. As you can imagine, you stare at a screen almost all day. And nothing basically happens in a 12-hour shift, like literally nothing. And yes, who likes to stare at their computer screen all day even writing software? Basically nobody, right? It's a 12-hours of time. But anyways, when something does happen, it's a very small window of time where a lot of things need to occur. And the specifics, I can't mention, but I will tell you one specific story I wanted to share is I was a certified anomaly response engineer as a computer engineer. So like you come in, if there is an issue with the system, your job is to kind of scramble a team of experts, go through the data, the telemetry that comes off the satellite, try to figure out what's going wrong and why. You basically only have voltage, current, and temperature to read. It's really kind of a fun problem. Anyways, one night I came in, it was about 2 a.m. We thought a missile was coming from the Pacific towards the United States, which doesn't happen normally. Luckily they figured all that out before I got there, but the question that was asked to me is what happened? Why did the system tell us that? Well, after several hours that night of looking through log files, the 19-year-old operator who was sitting there that night saw he had to grab three different colors off the screen and send this missile track to a specific place in a different IT system. He was asked to pick the three of them that are red. Yeah, exactly. He didn't pick the right three is the answer. And it is somewhat funny to tell now because that was in 2017, right? So six years ago it's kind of hard to believe, but what happened was that this is not the made-up parts. The solution wasn't to change the color of the UI, right? Like everybody knows in here that right software that changing a UI color takes seconds and you push it back into production. It actually took six months to change the color. And the amount of time that it took them to do that, instead of having two people verify every missile track, they decided the workaround was have three people read it instead. And this is where it gets less funny and where I really get my passion about this for is the person who made the mistake was demoted. So somebody who was probably making $40,000 a year in Denver, Colorado, it's not a lot of money, even in 2017, is now making $35,000 a year. So it's something that lives with you for a long time and this experience isn't unique in the military or in the public sector in general. Mistakes happen and a lot of times people get blamed and it's unfortunate. And this is what I want to talk about. The way software is built in these spaces is in silos. There's no communities. People build literally from the ground up. They don't leverage cloud a lot of times. They literally buy their own servers, hire a team and say, let's start from the very bottom and build everything up. And the result is six months delivery times on even things that are considered very critical. So let's talk about why that is. Why is that even allowed inside of the public sector today? This was the easiest way that we could really communicate to you the process of I want something. I need something. I got to go buy something. All the way to putting it into an operational environment and having to maintain said product, service, platform, software, weapon system, you name it. So we're going to get into each of these steps but just to highlight a few of them from the left to the right. So upfront in the public sector, you have to imagine we need to have these things called fair and open competition or fair and open market opportunities for companies that are upstairs on the exhibit floor and others that do business with the federal government. What does that mean? It means a lot of bureaucracy, a lot of checklists, a lot of making sure certain companies that have certain set-asides because they fit certain boxes have advantages that potentially others don't. And because of all those bureaucratic steps and processes and at the end of the day rules, we have to have specialists that really go deep into those rules. But they're not really focusing on what I just said earlier. There's still a system, a capability, a service that has to be delivered to the individual. It could even be the people in this room today that we're only focusing on the how to buy versus the what are we actually going to buy. The middle part of this that we're going to talk about is really as you go acquire said service and system, how do you remediate, how do you secure, how do you integrate those into the one to many other systems that are out there that might have an impact or integration point with that as well that could be 50 to 60 years old and literally on a mainframe somewhere in the middle of the desert that we don't even know exactly where the precise GPS coordinates of that thing is. And then last but not least, the things that are in operations today kind of a hearkening to the title of today's brief. How fragile and potentially dangerous our systems are and really the call to action today for all of us to make that better. So as I'm talking about how to buy things, these are supposed to be really eye charts and kind of scary straight processes because if you don't know how the public sector works, this is just a peek behind the curtain if you will. All our Wizard of Oz, this is how things are actually done. This is what we incentivize today. So the first picture, the one that's imposed on top of the other one, is the DOD's way of buying things. It's called our acquisition framework. Yet another framework, right? So we send individuals, they could be airmen, active duty that is awesome talked about earlier or civilians such as myself, we send you to school, you go through these classes that could be multiple weeks, which have actually turned into just being computer-based training and all of checking all the boxes, which each of those boxes actually might be 20 or 30 pieces of paper that you have to produce that goes five levels up a chain of command for this individual because they wear a certain rank and have a certain authority with money to go and approve that you're going to be able to buy that thing, which potentially could take that, what the previous slide showed, 18 plus months or longer, which typically is longer. So are you meeting the needs of the individual user, the public domain? Probably not. We wanted to add also the CNCF landscape because this is where I was talking about earlier, the options that are out there in the marketplace don't necessarily match the acquiring processes of that acquisition person and the knowledge of what's out there in the open market typically doesn't make it into the hands of the individual cutting the contract and putting dollars to the set and service. So just highlighting some of those issues and concerns. As we continue on, another thing that's really near and dear to the public sector is making sure things are secure. You can imagine, especially in the defense space, which is where we both work, we have lots of bad actors that are out there, organizations, states themselves, countries that want to take advantage of those services that are out there, not only in the continental United States, but actually out there on the edges and perimeters as well. So just as a data point here, back in calendar year 2022, this is how many CVEs dropped, either critical high mods or lows. Maybe to the private sector, that's not as important, but to the public sector, once these drop, everything becomes a fire that we have to go and solve. For instance, and I will talk a little bit about what's going on with Platform One at this moment, a month and a half ago, critical CVE drops for one of the services that we maintain today. And it's a service that's actually used in operational environments today by warfighters. And because it dropped, things were turned off out of our control, and we had mission failure for a majority of the users, warfighters that use those services today. What do we do about that? Well, a lot of nothing other than getting on phone calls and having conversations and doing analysis and forensics and what actually is going on, but at the end of the day, the warfighter is suffering and they suffer greatly. And as usually these services and systems are single points of failure. We don't have other capabilities other than you could imagine pigeons and pieces of paper in old school like, you know, technologies to try and communicate. That doesn't work in this world that we live in today. So this is something that, you know, is real world. This is something that even affects Platform One today. And, you know, as we try and remediate and have conversations, even our services, we don't necessarily control. It's usually three, four, five layers between us and that service hitting an IP address through those different, you know, control points and firewalls and levels of our network until it finally reaches the individual user that actually uses that to do his or her mission. Back to Austin. All right, so let's assume you figured out what you want to actually buy and you survived that giant horse blanket you showed and you actually have some way to secure your software. The next part is this integration challenge so a lot of people, especially in the CNCF landscape are thinking about AWS, Azure, Google. The interesting thing about a lot of the public sector is they don't reside on the cloud or if they do, it's a small section of the cloud that has a bunch of unique requirements and firewalls. And then a lot of times where they need to run their workloads is a disparate set of tenanted environments, all of which are disconnected from each other, right? So you can't hit an API across a network layer somewhere to do something, nor monitor it. But also the individual hardware stacks are all potentially unique. You may have a unit in Qatar with a specific hardware stack running vSphere and you may have somebody in California who needs the same thing. That's running bare metal that they need a completely different virtualization layer to deal with. So the software integration challenge becomes extremely difficult and what is actually pictured here is how these different platform tools, the helm charts are actually referring them, integrating with each other and it seems pretty straightforward, right? So anybody could just pick that up tomorrow and say, let me go ahead and install that software for you. And so what you have is these mission capabilities even if it's already ready to go, now you have the cognitive load of, like, what do I do next? And the interesting thing about the public sector, most people probably aren't surprised to find out, they don't pay as competitively as private sector does. And so now you have people that are getting paid less, you're asking them to not work remotely, go to a specific place, usually it's an austere place, you probably don't want to live, go into a building without windows behind gate guards, and work in a building with probably asbestos or other cockroaches that are crawling around and anybody who's been there knows that what I'm describing is not an exaggeration, it's probably true nine out of 10 times. And so what you have is people who aren't trained SREs who are like, hey, I go to CNCF and I'm a maintainer in my free time of Tempo or Istio. None of that's actually true at all. Like, one, everybody knows that this talent is super competitive for any industry, including commercial, but then asking them to take all the sacrifices to do public sector work, even if they're a contractor, is still really hard to find. So what you need to do is minimize this cognitive load, right, even if you've completed the previous steps. So you're seeing how these things stack up to be at least 18 months of delivery challenge in most cases. The other one I'll hit before I pass it back to Steven is the next part is really like, okay, if you know how to integrate it with this disparate platform or hardware stack, how do you actually deploy it to a functional there and update it? That's a huge challenge, too, and I think it's really unique to this community. A lot of these cloud-native software development efforts assume the internet. They assume building dependencies from other places that they can reach out and touch. None of that's true. Almost every network that runs a public sector thing is either completely egress-limited to like a few firewalls and ports, or it's completely air-gapped and sometimes we even joke water-gapped or space-gapped, right. There's like giants, there's a lot of space where you need to go. So how do you get that same software functionality that is being innovated in the community to these unique environments who need them the most? And then you have a lot of chicken-and-egg problems, like if you have a container orchestration tool that requires a pre-existing registry, who's standing up the registry? Because there's probably not one there already. You also have just the software management process, like there may be seven different people and stakeholders that actually own the approval to get onto the network that you want. So if you've figured everything out, you've got to find the right seven people to submit the right JIRA or ServiceNow tickets to give you approval to touch the thing to do a three-line command, right. And then lastly, the systems have to be highly reliable and they're widely distributed, and that's a problem in and of itself, too. How do you get them to all these disparate places, which I've kind of hit on a few times, but it's a difficult problem that adds to the technical challenge. So we've almost made it to the finish line here. But probably the worst step of all is what you're seeing in front of you right now. And this happens to be what is commonly referred to as the risk management framework based on a standard called NIST. And these are all the controls, typically that a system has to pass before you can actually deploy SEDService into an either staging or prod environment. Another foot stomp here is the individual, which is literally a human, gets donned the authorizing official. So what that means is this individual gets certain authorities and responsibilities assigned to him or her. And they are the ones that you have to go in front of with all of your documentation, literally pieces of paper if it's controlled documentation or what they call plans of actions and milestones and other pieces of bodies of evidence. And you go in front of them and maybe or maybe not, they say yes, no, or a yine and we'll come back in another week or two and we'll have another conversation. It's not good enough. In other words, this is a usually one step process. It's not a continuous process. There's a lot of new organizations in the public sector that are thinking more continuous or open about this authority to operate concept, but today this is exactly how it works. It's a one-time effort, typically every two to three years. You got to pass and then once you do it, it all goes on a shelf. When you get about it, it grows a lot of dust and then come a week or two before the ATO expires. You pick it back up and you crash on it for 24 hours a day. Pizza parties galore and you try and get back in front of him or her to get your extension or get the ATO re-accredited. But let's say you did all of that and the system itself, the piece of software, this cool capability is out there doing good stuff for the public domain. Let's play a game. Let's play Find the SRE in these pictures that you see below. Starting on the left, this submarine that's doing good work for the Navy or whatever it happens to be doing. How are we doing any kind of logging and system analysis and performance improvements on a capability that's not connected to anything several thousand feet under the water in God knows where on the face of the globe. Secondly, there's a satellite out there that's giving you GPS capabilities and making your phone do what it does today or doing anything else that's maybe of critical nature to the public service. How are we doing SRE work on that system or product and how can we go and update potentially a system that's isolated, not connected to a network. We're not sending out astronauts on a day-to-day basis doing stuff like that. I'm dating myself a little bit there, but again, these systems are as fragile as ever and the grid itself, right? That probably worries me the most and keeps me the most at least up at night time because of, you know, you hear all these, you know, stories in the news and things that could bring these things down and we have no resilient services or backup systems that I know of. But there is a silver lining here today. We want to tell you that there are good news stories out there and we are doing good things and it's because of the open source community and one of those is the organization I work for. On the left is, you know, a clear example in a vignette of helping an organization inside of the Air Force get after a chat capability that they needed to have in their airmen's hands across the globe as they operated flight missions and flight planning missions such as the Afghan Extraction the Turkish earthquake that happened earlier this year and then most recently some of the Middle East conflict that's happening as we speak. They use a system that we maintain a platform one utilizing open source tooling for chat ops and this system works today instead of that airmen using WhatsApp and Facebook Messenger and LinkedIn and SMS texting and God knows what, which could be intercepted by who knows who, a capability that is maintained by us, secure by us and they contribute back to us with our partners in industry as well. And then over on the right I want you to understand that we are building platforms that companies such as Defense Unicorn utilizes and grows to other market segments that are not only in the DOD but also outside of the Department of Defense and we look to the CNCF landscape for those tools and capabilities and because of these graduated packages that I'm highlighting here and many many more you have contributed to making the public sector better whether you like it or not like it's already been done and you're already doing it we just need more of that and we've even went as far as marketing ourselves and creating our own technical oversight committee similar to what the CNCF does and owns today and we asked for contributions back to our platform that we've marketed and made available to the world called Big Bang and you can find on GitHub shameless plug there and utilize that service for your own purposes either in your home lab or in your organization. I feel compelled to tell a little bit more of that story only as Stephen was bringing it up it was bringing me a little bit of flashbacks and there's several people here that work at platform one now are used to but I still remember I can't remember we pulled out of Afghanistan a bunch of refugees that had to be brought out too previously there was no way for the pilots that worked for Air Mobility Command in these giant cargo planes they land a lot of times they change where they're going in route there's not bases they're not secure comms they were actually using the chat ops tool that Stephen mentioned that platform one deployed to communicate and actually change the logistical plans in flight and one of the other majors one of my peers at the time I didn't even know how I got my phone number he called me at about 2 a.m. and told me from Afghanistan the impact that platform one was having I actually had him stay up late to come to our team stand up the next day and just tell people the impact that they were having on people's lives leaving Afghanistan for safety and I I swear there was probably 200 people on the call and I think a hundred of them were crying and that's really the point that I want to make is that all this stuff that's happening in the community is needed by the public sector and again this is just a couple stories of how and how it can be better and that's really what gets me to this last point I'd rather it be more than just like a talk at KubeCon where people you know share a story and then nothing really happens right there's a lot of things going on out there where people can get more involved with the public sector and I kind of just want to highlight a few of them that people can maybe take that you know Stephen and I's LinkedIn will be on here afterwards you guys can connect with us we're happy to get you connected with the right people and build a community around this so first is the government puts out all the time these things they call the request for information that's actually before they want to do work with somebody they're asking the community like hey I think I need to do this thing can you help me understand how I should be doing it I know everybody's got to make a business case whether it makes sense for you to use your time and energy to respond to those things to inform the government of what's going on as Stephen mentioned they're experts in a lot of things they're not experts in the CNCF community there's not like a standing army of them because it's a huge community of itself they need help from people to respond to those things getting on different communication means where you can actually receive information from the government again not just department of defense but other areas we mentioned from the public sector is important too because they distribute information in interesting ways that you know it's not on LinkedIn typically not in the normal business to business sales they kind of have their own processes but we're happy to chat with you afterwards about what some of those are the other is to just educating people on open source there was a group of us in the government that kind of went on the platform one journey if you would bring up open source still to this day there's a lot of stigmatism around in the government circles like open source is scary because the codes out there and they don't realize again a lot of people that make business decisions are not software experts nor are they expected to be somebody who means to do you harm not have access to kind of everything that you're doing and they don't really fully understand things like open SSF in the scorecard in Sigstore and Salsa and all these things and how it relates to NIST 800-53 in compliance and how it can be better for security not worse and so there's just a lot of education out there there's a lot of free resources that you can tap into to educate yourself and then one that's also near and dear to me that NIST has actually been championing another government organization where they have a GitHub page but it's a way to actually assert what NIST controls you satisfy with your specific software with the software in YAML kind of in the GitOps process as Steven was describing what typically happens is a team of experts builds a system delivers the system and then somebody who's trained in 400 different controls sits down next to those engineers literally going seat to seat with an Excel file saying hey can you tell me how you satisfied AC-4 like encryption like what are you talking about we use Istio they're side cars and the cyber person's like I don't know what Istio is can you explain service mesh proxies to me and so you can see that's iteration one of 397 controls they're about to walk through together so OSCAL is actually a way instead of doing things after the fact move it in small chunks to the people who know what their software is doing and it actually allows you to build things into the CI process to improve things also just documenting and maintaining projects I feel stupid to be in there at a CNCF events because people obviously do that and do that really well here but it makes a difference the barrier to adoption matters and being able to publicly find your things easy quick start guides matters a ton relatively new is the public sector user group which is really cool I believe it's CNCF sponsored I'm looking at Brandt because people will know yep absolutely join that I think they meet every Thursday afternoon 12 or one central roughly Ian's here he'll tell you more about it I'll ask afterwards but you can join that user group anybody can and it's really this entire conversation Steven and I are having it's very similar but it's getting down to the working group level how do we make an actual difference and then maybe I'll let you talk about the Big Bang like I said earlier in the previous slide we want contributions back to our platform we know it's not the right solution or the wrong solution it's a solution we know other people are using it and we're just not aware of that because we don't have the call home feature nor should we need people to come and tell us like what is it doing great for you what is it not doing great for you and contribute back we do have that technical oversight committee up and running we're trying to spin off you know special interest groups all of the the tags that the CNCF model has so again be a part of it we ask an employer upon you to use whatever time that you might have and come back and help us help you all right unfortunately I think I used up all but three minutes of our time where we both did so happy to take questions if we're allowed to but I think they have to kill it at six for the virtual recordings and stuff too but happy to take questions hey so you know we're going to open source software but then we're also a COTS platform that's you know offering self-hosted dual use software through you know Kubernetes basically we ship a Helm truck right so some of our contacts and you know in addition to you know these requirements everything else was kind of like oh you should test this out and test Kubernetes and we're like great we can go read the thousand page PDF or hopefully there's maybe an easier way to actually like get a stick Kubernetes up and running without having to become an expert do you guys have any guidance on that or any thoughts yes that's everything you said is a problem and it's one of the many pain points that we're trying to get at they're stick to OS too and I don't know how far up the stack the sticks go but they seem to come out all the time because like you can stick something like RK2 the configuration and then just put it on GitHub there's no reason not to and just share it like so let's not reinvent it and other people can put PRs up against that maybe more of a platform one question back in April we saw Chain Guards Wolfie make it into Iron Bank and I was just curious are there any plans to start basing the images we put out based on Wolfie as opposed to Red Hat Zubi yeah so I will first take this stab but we have our chief technology officer here in engaging them we have a partnership with Chain Guard for sure Cameron what would you like to say? Thanks yeah I didn't figure that I'd jump up here so Cameron and Katie I'm the interim Iron Bank by extreme lead and also the CTF platform one so short answer is yes I want to offer people options we want to offer people options I don't think one distro to rule them all is going to be the future and so I guess call to action for the community rebasing takes time so if you want to come help out with that effort come help us out on Iron Bank yeah that's that's that sure thanks are we out of time for questions how does it work? one more? attestations are great it's wonderful that we're starting to make all these things code looking at from the other side from a security lens what should security be doing with all of those S-bombs and all of this paperwork that we are now generating and like where do where do they start? I'll start and then add your opinion so what we are trying to do especially in the Department of Defense is establish what a continuous authority to operate looks like because the word continuous is the right word it's not a one stop generate a bunch of paper put it into a tool called emas which is what the DOD uses and then it sits in a repo somewhere where maybe someone's going to look at it or not the model that platform one has is we do establish our initial ATO but we embed cyber risk assessors on behalf of that authorizing official that I talked about earlier and those individuals get to come and be a part of the process of making sausage whenever we push updates whenever we need to bring on a new app team and run them through our CICD pipelines and build out new infrastructure and do the things that we need to do they got to be a part of that and when we want to make changes we keep them at the ready all the time because the DOD that we're about ready to release on behalf of the CIO's office what a continuous authority to operate looks like there's the guidance there and platform one's part of that exemplar package that will hopefully give what that right looks like and maybe eventually establish more of policy so that we go more that route versus what you're describing now which is this one stop shop thousands of pages that really don't add any value at the end of the day the only thing I'll add is every part of the delivery process deserves innovation including looking at S-bombs and CVE's after those S-bombs are scanned there's tools out there like defect dojo and others where you can actually load it into a more user friendly place and manage the CVE's sip through the ones that matter let the dev teams make adaptations around why it's mitigated why it's not so I don't have a solution I think there's but again it's a community approach everybody has these same problems and every part of the process is like we're not going to solve this 18 month problem in one go it's eating the elephant one bite at a time thank you