 Welcome back to the very last brief and open GovCon. So excited to announce my friend here, Russ. And this is definitely an interesting one. It's taking a look at how to approach container hardening at the DoD slash federal scale. So Russ, please take it away. Yeah, Kyle, thanks very much for putting GovCon together. Very much appreciated and onwards and upwards. Yes, so this talk is going to be a little bit more broad-based. I've got, yes, sir. Yes, of course. Can you not hear me? Yeah, I'll stand over here and then you can hear me. How's that? No problem. I've got a lot of feedback during the week. And the presentation today is going to give us a macro view of why you'd want to harden containers. And just to pose that on a couple of the value propositions and the things that you need to be thinking about as you start to interact with federal marketplaces. And so we'll chat a little about the various channels going to the federal marketplace, how container hardening is a central role in that. And then we'll introduce some of the partners and the opportunities. And it's the last session, so we'll keep it relatively interactive. I'm not going to give you a very deep tack dive, but I do have leaflets. And I'm available after the talk and happy to take that further. So essentially, what we're going to talk about, well, I'm from Rapid Fort. We are engaged with the federal government in quite a meaningful way. And when you get engaged with the federal government, you need to do or solve a couple of challenges. You need to solve the technology onboarding challenge, which is a significant challenge. And we're going to talk about that and the options for that. The contracting vehicle challenge and then sales and marketing, essentially the things that we take in the enterprise space for granted. Those have parallels in the federal space. And you need to be cognizant of that. And so you have entities that can help with this. I would argue that Platform One and their ecosystem is a very viable channel. It's one of them. We're going to discuss the pros and cons of other. And the SIPA program, which essentially is much like an enterprise paid POC, is essentially a vehicle to solve the second problem, which is contract vehicle onboarding. And then there are a number of emerging marketplaces to be aware of and all of that stuff. So this is essentially how to sell stuff to the government 101. OK. So there are a number of potential partners or potential channels. There's FedRAMP, StateRAMP. FedRAMP typically is for large enterprises. It's an expensive process. StateRAMP is FedRAMP's little brother. A lot of the rules apply. Neither of these agencies are Kubernetes or open source friendly or agile technology friendly. And that's one of the big advantages that some of the other channels have. There are independent onboarding vendors. For example, there's subcontracting to a prime. That's another way that smaller companies can engage in the federal space. And there are emerging marketplaces like Tradewinds, Advanter, JFAC, and all of that stuff. But my argument would be that Platform 1 in the SIVA process is a really good place to go. And we work with, essentially, all these companies. And we understand all of these channels. And I'm happy to broker introductions to any of you guys here. Fundamentally, how does this talk to intercept with vulnerability remediation and container hardening? I'll explain that in the section. But whether it's FedRAMP, StateRAMP, or any of these other channels, you have to harden containers. You have to remediate and remove vulnerabilities. And that's why a company like us actually gets involved in all these federal intersections. Okay, so who here has heard of the SIVA process? You must, yes, I got three. Okay, the SIVA process is essentially the equivalent of a paid enterprise POC. And they've structured it in a similar process. So in the same way as when you engage with a large enterprise customer, you have a proof of concept that can either be paid or unpaid, success criteria, and so forth. That is mirrored in the Department of Defense where you have, essentially, a mechanism by which you are paid to actually go through the process of validating your technology. Phase one would require you to build a prototype. Phase two, there needs to be some implementation. And then phase three would enable you to have a commercial relationship. So the SIVA process is actually a fast track into contracting ability. Because once you have a phase three, you then essentially have your sales license that enables you to sell into these various opportunities. So in terms of solving problem number two, which is contracting vehicle, this is something that's important to bear in mind. And they have a number of metrics by which they measure companies. There's three opportunities a year to present. You must be a U.S. citizen to deliver services and it must be R&D. So what does that actually mean? It means there must be experimentation, there must be risk, and there must be evidence of failure, believe it or not. And so things like training, things from like licensing and things like that are not necessarily included under the program. And then it requires a customer memorandum where you have a technical point of contact who's essentially like a project manager for a traditional POC. And this mechanism is incredibly valuable. And I was asked the question the other day, how important is the cyber process to our engagement? It's very important. And in fact, most companies that interact initially with the Air Force come through this channel. So highly recommend it, but there are some things to be aware of. It's a competitive process. You need to make very thorough submissions and all of those things, but bear that in mind. So a bit of technical stuff. I'll breeze through this very quickly. Rapid Fort, the company I'm with, essentially is a DevSec opt tool which hardens software containers. Many of you were at the last talk. The way we do this is we essentially instrument the container. As it runs, we learn it's essentially its production, its runtime profile, and then we harden it. And the reason this is beneficial to customers wanting to enter the federal space is the number of vulnerabilities you have is going to be linearly related with cost. And so the less vulnerabilities you have, actually entering the process, the cheaper it will be. And we get good results. These are some results that we get with federal customers. Typically, these are very standard. Programming language dependent, Java 50 to 60%. Reduction, no.js would be north of 90. Alrighty. So we've talked about how you can get money. We've talked about how you can establish a contracting vehicle. And now we want to talk about the technical onboarding component which is the third problem you're gonna face. And I would argue that Platform One is a very good place to go. It's a good place to go because there's going to be technical alignment in terms of what you're doing. The other channels require you to certify your whole stack, 100% of it. So if you are essentially running in AWS, you will have to certify the entire instance whereas if you go through this channel, you really need to certify the application layer and you can inherit a lot of the authorizations and the compliance benefits from the bottom. So perhaps the best place to start is they have monthly AMAs. Unbank has weekly discussions. There's some good documentation. You're welcome to take a photo of this. And then in terms of the cyber process, I'm happy to broker introductions as well. However, okay. So, Ionbank, this channel has essentially three components. It has a container repository. It has essentially a deployment mechanism and then it has essentially ways to support and deploy the container. So what Ionbank is, is essentially a repository of approved containers and in order for you to start getting into the application layer, you need to get your containers through the Ionbank process. There's good literature online. I did talk about that in a previous talk. If you're interested in the minutiae of that, please let me know. And the Ionbank process is very aligned with what's happening at the open source security foundation and all of these things. And if you go to these links, you're gonna get some really interesting information. Okay, here we go. Big Bang is essentially the deployment platform that you'll want to deploy in because that enables you to inherit all the controls and all the benefits of the previous work done and it's open source and it's free. And so, Big Bang is essentially, think of it as a Kubernetes, a hardened Kubernetes cluster. It's got STO, it's got logging, it's got everything you need in order to become compliant. And so, this is gonna save you a lot of time, effort and money. If you go through FedRAMP, you're looking at a significant amount of pain, just replicating this and this is available for free online and away you can go. Any questions so far? Nothing from you? Okay. And then PartyBus. So we are blessed to have one of the managers of PartyBus here today and he'll be taking questions at the end but what PartyBus does is PartyBus is essentially a think of it as a professional services arm if you will that enables federal customers to utilize these tools. So they stand up DevOps pipelines, they do consulting engagements and things like that. And that's essentially what they do. There's a lot more to it and Steve can provide that but essentially they are the third component required in order for you to sort of leverage this channel. Okay. So we have gone through this journey successfully. We've learned a lot along the way and there's a few things that you should bear in mind. The other talk that I did previously talked about some of the challenges but essentially as you go through the journey you want to set up the deployment infrastructure, you wanna harden the containers, you wanna test it and then you wanna go through the certification process. And so here please feel free to take a photo of the slides. It's essentially your template for an engagement with Iron Bank and there are groups available, defense unicorns and a couple of the other groups that can facilitate this journey. Alrighty. Okay, so I'm breezed through my talk. Does anyone have any questions? Yes. So I have my perspective but I'll pass it over to the candidate to take that one. Yep, so I'll repeat the question there. So the question was if platform one moves over to JWCC, how might that impact the cyber process? So to date the planning and work that has gone into us moving over to JWCC is one comment that Ms. Knausenberger made in public. So certainly we are not currently moving to JWCC, like that is an idea that's floating out in the space. That being said, if we did go over there, so the cyber process is a DOD process, the Small Business Innovation and Research Process. AFWORKS and SPACEWORKS run that for the Air Force with the Air Force side of that. Kind of, we could build a whole other set of slides for each of the services in terms of how they manage that because every service has their own way of doing it. So it would still exist. It might look a little bit different. Most likely if we did move into some sort of a joint construct, I would imagine they would leave it with the Air Force to still do cibbers related to that because there's no joint cyber office really. Yeah, thank you. My perspective is the cyber process for the Air Force is going extremely well and the other components of the armed forces are following suit. So one of the things that makes the Air Force unique is they have what's known as an open topic, both the Navy and the Army and so forth are following suit and so the cyber process is working extremely well in the Air Force. It has its challenges elsewhere. So I would hope that the leadership doesn't break what's already working and that could be an opportunity for the other cyber programs to sort of fall in line with essentially the leader in the space. So I don't think it's going anyway. Any other questions? You've got a question and you I can tell. That's a great question and then I'll answer a reciprocal question which is how can open source projects go through the cyber process? So at each of the stages there's very different valuation metrics and so at phase one what they're really looking for is exposure to a wide variety of ideas and technologies and so small companies, one or two people in a garage with a semblance of a product would have an opportunity to participate and so what they're really screening for is innovation. At phase two they change and they start looking for commercialization and so what's looked for phase two companies is essentially investment, commercial traction, size of team, customer base, all of these kinds of things and so one of the things about the cyber process is there doesn't seem to be middle ground between phases one and phase two and what we're starting to see is a blending and so there's bigger phase ones coming in with slightly more stringent requirements that are meeting that need and then phase three is essentially a commercially ready product and to do that you need to meet essentially the qualities of enterprise sales. So you need to have customer support, you need to have financial sustainability and so forth and so as you go down the path it gets harder. So one of the challenges for open source projects going into the cyber process is they don't have a lot of the things they're not incorporated which is a fundamental problem. There isn't oversight in terms of who can contribute. So these programs are designed for you as citizens and if you have other contributors that can create problems and so the cyber process is not necessarily well adapted to a true open source project where there is an opportunity used to add services components on top of an open source project and there's been a number of successful use cases that have done that. So if you are involved in an open source project you are interested in the cyber journey incorporate go through that process and then that'll enable you to get funding and to take your concept further. It's very small business. Yes. Yeah, but 500 employees is a lot. I mean your average security company's got less than 100 but yeah. But it's worth investigating. One of the great aspects of this is it's an interesting way to actually have dialogue with sophisticated customers. You will meet and get very interesting feedback and divergent viewpoints. Okay. Can we talk a little bit about the failures and the learning there and then a plus one would be what is the future look like for rapid forward in the container hardening space of the federal government? Thank you. Yeah, so if you venture backed the venture capital community doesn't understand SBIRs and they are gonna treat this contract just like an enterprise customer contract. So they're gonna be pipeline reviews. There's going to be a lot of scrutiny around it and the ability to sequence and meet deliverables and things like that is largely determined or somewhat determined by the speed at which your T-Pok can process things. And so there can be the misperception that this relationship is stalled and so forth and concern around that because in the enterprise world if you're not succeeding in a customer you're failing and that is a bad mark. Venture investors are very sensitive to signs of failure. They're trying to work out do they have a product? Is it gonna be sticky? Is it solving a significant problem? And when they see that there's a lack of momentum that can cause concern. And so the key there is education in terms of telling your investors this is the process this is the way it works. It may become slow and so forth and all of that. But then there's also the opportunity to talk about the other phases in terms of sequentially if we deliver there's an opportunity for us to address a large audience. So it's one of miscommunication is how I'd say. For example, in the finance world if you're not collecting invoices they start becoming aged. And then the auditors are saying is this a real account? Is revenue recognition issues? There's all sorts of unintended consequences when you look at a cyber-based contract like an enterprise-based contract but all of them can be avoided largely through communication and then having an enthusiastic T-park who's pushing you through the journey and supporting you. So what does the future look for us? Like that's a very interesting question. I think when we first started rapid four, three years ago, vulnerability remediation the only people who were doing vulnerability remediation was the Department of Defense. And so when we would talk to big financial services companies and so forth it was a tier two, tier three problem. Now it's bumped up essentially the importance on the list of CISOs very significantly and what's driving that is a lot of the compliance and the regulation and the indication that liability can shift towards software manufacturers for not patching vulnerabilities. And so our company and in fact the industry has seen a real tailwind in terms of where we're going with vulnerability remediation. Yes sir, thank you. So do you know who the number one contributor to Kubernetes is? It's Alibaba. So interesting stat. So there are open source projects that don't have good governance structures and there's open source projects that do. And there's a strong tendency within the federal space to go through and utilize projects that have strict governance, have eyes on multiple checks, comply with all these frameworks and things like that. So if I'm not mistaken and Camden can correct me here the CNCF sort of stamp of approval is the level of comfort you've got to get to in order to be entertained by sort of federal agencies and certainly DOD agencies. So can you shed any light on where the threshold might be? Yeah, so things like the CNCF stamp of approval definitely help. So we're well aware that we have products in Iron Bank today that have a preponderance of foreign ownership or foreign contributions. I think I want to be careful about this here. So that being said, so it really goes back to those governance structures like Russ was saying. So our model is in Iron Bank. It's largely modeled after the OpenSSF scorecard. So we try not to be about who you are as much as do you have a process and do you follow it? Are you, do you actually have signed commits enabled? Do you actually have review going on before things get merged? One of our big pushes over the last few years in software is to go from personality based decisions to making decisions based on more objective criteria. And so that being said, if you're looking to do business with the federal government so the US government, being a US company and having those kinds of firewalls that we would historically expect for folks doing business with the US government is certainly helpful. But we definitely recognize that software in general and open source software in specific is an international endeavor. Thank you. Good question. Appreciate it. Do we have any other questions? Well, I certainly hope this discussion was interesting. There's a lot of painfully learned lessons in here. Things that I wish I knew and I'd encourage you to reach out to me. I'd love to help you on your journey. It's something that my company is very passionate about in terms of open source and its intersection with the federal marketplace. Thanks. Thank you. Thanks, Kyle. Great. Well, thanks everybody. That was our first Open GovCon. And so stay tuned for more. We plan to make this a series of events. We appreciate all the support for this first go and look forward to seeing you soon. Thank you. Can we get a round of applause for Kyle? Yeah, Kyle. Thank you. Well said.