.png)
Behind the Shield
Behind the Shield is InfusionPoints’ podcast where we sit down with partners, customers, and industry leaders to talk about FedRAMP, compliance, and cybersecurity in today’s government landscape. Each episode offers laid-back, insightful conversations that blend expertise with real-world experiences.
Behind the Shield
FedRAMP 20x Explained, CMMC Impact, and Real Compliance Talk with Matt Bruggeman
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of Behind the Shield, Jason Shropshire, InfusionPoints COO, sits down with Matt Bruggeman, Director of GTM Federal at A-LIGN, to explore one of the most unique career paths in the compliance space and how it directly shapes the way he approaches FedRAMP today. Starting in engineering, transitioning into improv comedy, and ultimately moving into sales engineering, Matt brings a perspective that blends technical depth with communication, adaptability, and real-world problem solving.
We dive into the realities of FedRAMP, including the friction points that have challenged CSPs over the last several years, from inconsistent interpretations to long timelines and the operational burden of maintaining authorization. Matt shares firsthand insight into how these challenges have impacted both providers and assessors, and where the industry is starting to shift.
The conversation also unpacks FedRAMP 20x and what it actually means beyond the headlines. We talk about automation, machine-readable evidence, and what organizations need to start thinking about now if they want to keep pace with where the program is going. This isn’t just about moving faster, it’s about fundamentally changing how compliance is approached.
We also touch on CMMC and its growing influence across the defense ecosystem, how it compares to FedRAMP, and why organizations need to think strategically about overlapping requirements and long-term compliance investments.
Throughout the episode, Matt highlights the importance of clear communication, storytelling, and being able to translate complex technical requirements into something actionable, especially in a space that often leans too heavily on jargon and process.
Whether you're early in your FedRAMP journey, actively working toward authorization, or rethinking your approach in light of 20x, this episode offers practical insight, honest perspective, and a look at where compliance is headed next.
What You’ll Learn:
• Matt’s journey from engineering to improv and how it shaped his approach to problem-solving
• The realities of FedRAMP challenges and why the process has been so difficult historically
• How FedRAMP is evolving and what changes are underway
• What FedRAMP 20x actually means and what it requires from organizations
• The impact of CMMC on the broader compliance and defense ecosystem
• Why communication, storytelling, and adaptability matter in technical roles
• Key insights for navigating compliance in a rapidly changing environment
Chapters:
0:00 - Introduction to the Podcast
0:29 - Meet Matt Bruggeman
1:16 - Matt's Engineering Background
2:13 - Transition to Improv Comedy
4:04 - Sales Engineering Journey
6:02 - Joining A-LIGN and FedRAMP
11:01 - FedRAMP Challenges and Changes
17:12 - CMMC and Industry Impact
23:33 - FedRAMP 20X Discussion
47:43 - Lighter Fare and Closing
If you’re building, managing, or defending in regulated environments, make sure to subscribe for more conversations like this.
Interested in learning more about FedRAMP 20x? Join our FedRAMP 20x Explained webinar on April 2nd at 1 PM EST: https://xbu40.com/20x-cohort
Guest Links:
Matt Bruggeman Linkedin: https://www.linkedin.com/in/matt-bruggeman/
A-LIGN- https://www.a-lign.com/
Mostly Compliant Podcast- https://www.youtube.com/playlist?list=PLLU5Lb_V9iSyFhftOkbrOE_y0DVAvDmO4
Sooper Doods- https://www.youtube.com/@SooperDoods
InfusionPoints Links:
Jason Shropshire, COO- https://www.linkedin.com/in/shrop/
https://www.linkedin.com/company/infusionpoints/
https://www.InfusionPoints.com
https://infusionpoints.com/contact-us
Well welcome back to Behind the Shield. I'm your host today, Jason Shropshire, uh COO at Infusion Points. And uh today I've got a great friend um of Infusion Points and me personally um with us today, Matt Bergaman, who uh leads federal go-to-market efforts at A-Line, one of the top FedRamp three PAOs, and he has spent the last several years deeply embedded in FedRamp, CMMC, NIST 800-171, and GovRamp. He's also the host of A-line's mostly compliant podcast, where he regularly breaks down complex topics with a mix of realism and humor. So please welcome Matt Brugeman. Hey man, how you doing?
SPEAKER_00Hello, everybody. Hello, Jason. I'm doing pretty well. I'm on the tail end, I hope, tail end, of some viral thing. Um, but other than that, everything's going very well. How have you been?
SPEAKER_01Awesome, awesome. Well, you sound you sound and look good. Um, you know, I don't know. That's most important. I know I'm getting absolutely. Um well, Matt, just give us a little bit of background. I love starting by hearing you know, people's history and the compliance space and sort of how they got into it. Um give us a little bit of your background and and how you got into the space and and uh go from there.
SPEAKER_00Sure. It is an interesting one too. So buckle up. Um so I got my degree in electrical and computer engineering from the Ohio State University. If I don't say the, somebody else will. Um and then I was working as an electrical failure analyst at Wright-Patterson Air Force Base, um, actually in Dayton, Ohio, for a few years. So I was using that degree. Uh, and then I quit and haven't used it since. Um so when I initially left my job as an electrical failure analyst, which was actually a really cool gig, we we basically did mishap uh failure analysis. So if there was a mishap um and they thought that there was anything electrically that may have caused it, um, we would potentially go on site or you know, otherwise gather like the wiring, black box information, all that sort of stuff, and we would investigate to see if we could find the root cause and write reports on what may have happened. Um but it was right around that, yeah, it was right around that time that I started to explore the comedy side, which you mentioned, um, where I started learning and performing improv comedy, and I actually left my job um as an electrical engineer to do improv comedy full-time. And uh I was doing improv for business training, is the only way that that pays any sort of money. So basically that would be you know us going into you know sales settings, corporate meetings, you know, whatever, and basically doing improv exercises with the groups because one of the things that I learned and that I loved about improv comedy is, and for those that aren't familiar, it's it's like whose line is it anyways, but it's like you go up on stage with nothing, you get some sort of suggestion, and then you make everything up on the spot and you try to make people laugh with it. And so in order to get really good at that, you have to get really good at listening, being present, um, getting out of your own head, um, you know, following the fear, all these fun sort of mantras that you might hear, don't think twice with improv, that I think are really applicable to life in general, um, and a lot of like sales skills as well. So we would go in to like sales groups or just companies and we would do improv exercises with them. First of all, get them uncomfortable, get them on their feet doing improv exercises, but then working on some of these skills like communication skills, how to be a better listener, more active listener, um, how to be present and drop, you know, hey, what am I gonna like as you're talking? I'm formulating what I'm gonna respond. Hey, let's not do that. Let's just fully listen, be present with you, and then I'm gonna respond organically based on you know what you end up telling me. So um, there's all these sorts of aspects, uh, working together, teamwork, all these things that that are really valuable. So I did that for a few years where I would just go into companies and I would do these improv exercises. Um, and then after a few years of that, I did remember that I do enjoy money um after all, because that doesn't pay that doesn't pay the most uh money in the world. So, you know, I was I was kind of like really open at that point. I was like, I don't know what I want my career to be, I'm not sure where I want to go, but I knew I had the technical background, electrical engineer. I was always really good at math and picking up on and learning things pretty quickly, um, and then the communication skills. So I started to get into like sales engineer positions. So I had a few different jobs as a sales engineer. Um for tech companies or not actually. The first one was for compressed air company. So it was um yeah, it was a lot of like on the road cold calling, cold sales, like um going to manufacturing plants and looking at what sort of design they had around their um air compressor or compressed air system, what they might still kind of engineering related, yeah. Yeah, yeah. So it was a lot of um helping them design, especially more efficient, more uh uh efficient methods of distributing the air needs that they had with like variable speed drive, air compressors, and all these all these fun things. So yeah, I would go in and then help kind of design, hey, here's a better way to go about it. You know, here's our sort of proposed system. Um and then the next job, actually, I found because that was like literally in a car driving out to these plants, a lot of like hitting the road. I was uh not loving that. Um so I wanted to find something a little bit more remote. Uh I found another job that was um uh a product design and engineering firm. So we it was really interesting, actually. So we would basically our services were product design and engineering. If you have like an idea for something. So like Jason, tonight you have an idea come to you for a new better toothbrush or whatever, and then you're like, but I'm not an engineer, how do I make a prototype of that? Like you would call us, and then we would work with you to be like work with your idea, do some initial design, maybe make a prototype so that you could test it, all that fun stuff. So that was an interesting gig as well. Um did that for a few years, and then moved out here to Denver during that time. And so um that's when I actually found the opening at a line. Um I had no cyber experience before that. Um but again, I was eager to kind of jump into something a little more technical that I could kind of really feel like I could take on and try to like, you know, know really well. And so I got when I got brought on, um, I was selling strictly, I was on the sales side, I was selling strictly our federal services. So primarily, especially back then, that was FedRAMP CMMC wasn't really even a thing yet, right? Right, right. Um so really just kind of trial by fire and training under other folks and working with you know our assessment team. We had some really great uh people on the folks on the assessment side who were really willing to you know help me learn a lot like with them and through them and ask them a lot of questions. And so for like six to twelve months, I was pretty much just soaking it in and learning. And then I was on a handful of sales calls every day where it was like I had to help guide other people, and so you learn a lot through that, I think, right? Through learning how many different people are at what stages in the journey and what they're looking for, and what are they missing, and you start to learn like where the missing pieces are for a lot of people, and then you need to go learn it or know it so that you can explain it to them, and so that ended up being a really effective method for me, so that years later now I'm in more of a subject matter expert role where I help kind of bridge the gap between our service delivery team and our sales team in terms of communicating like how do these assessments actually operate. Um, so I know that was a very long answer, but that's that's kind of how I got into the space.
SPEAKER_01No, I loved I loved it because there's so many parallels, like just between uh your yours and my experience. Um I started out with an engineering degree, mechanical engineering, um, you know, actually worked for a machine design firm for five years uh directly out of college that I had uh done some internship with before. And uh, you know, that that was my that was gonna be be my career, but cyber was was emerging, you know, in the in the early aughts um into really a thing, right? And and uh and even even a lot of the folks who were it was either computer science or there was no MIS back then. So a lot of folks that had engineering backgrounds in in the 90s and even prior ended up in in these roles that now there are C you know CIS majors for, uh MIS majors for, and things like that. So it's it's interesting uh how many engineers that I I come across that are now like doing compliance or doing cloud or or uh you know have sort of migrated into those professions. But uh Gary Damer, our our CEO, he's the same same way. Um he has a uh I think he's uh he has an MS in um in systems engineering uh from Virginia Tech, and then he went to UNC Charlotte and you know for his his bachelor's in electrical engineering. Mine was mechanical engineering. So but yeah, it's it's really I think there's a lot of parallels.
SPEAKER_00Like for me, even though I don't use it at all, I'm so grateful that I I studied and got my degree in that because I think it taught logic-based thinking and reasoning really well, especially electrical engineering, because like you're just learning how a computer thinks ones and zeros, yeses and no's, and like how do you combine those into different logic systems? Um, and critical thinking skills, I think, right? It it teaches you these really core concepts that for me have been super applicable even beyond that, and and especially in cyber. So yeah, that doesn't surprise me, I guess.
SPEAKER_01And it it's it's interesting, like you were talking about your first job doing failure modes analysis. I mean, that that has parallels to me with with auto work, you know, and and uh uh even even forensics uh to some level. Yeah, it's uh it's it's uh interesting parallels there. And then um, I mean we we like to we've you know we follow this this idea of systems engineering, right? And to me, like the the having that engineering background where where you fundamentally um think through you know how do components have to work together um to solve a problem, right? That's really what we're doing in the in the cyber side, in the cyberspace, and what we do here at at Infusion Point. So it's engineering has so many different um different layers that apply, whether it's on the audit side or the build side. Um yeah, that's that's that's really cool. I love I love finding out more about people's backgrounds through this process.
SPEAKER_00I know you're making me want to ask more on my podcast because I don't really dive into it too much, but that would be that would be good to learn more about that. And so if any for any for any kids listening, I guess go to go get your degree in engineering and then never use it is the uh absolutely yeah, you could end up in cybersecurity.
SPEAKER_01Yeah. Well, uh, you know, so you talked about you know how you kind of got turned onto FedRamp early on. Um you know, what was your experience there? Like what what what surprised you kind of the most about it in in in your early dealings with customers and and what they were struggling with? I mean, what did you learn there?
SPEAKER_00Yeah. Um, I guess first and foremost, just how crucial that agency sponsorship and partnership was. I mean, that's something you learned very early on. Um yeah, I mean, it it it it still kind of surprises me to this day. Um, but I'm not complaining because it keeps me in a very stable job. But just the level of um uh ignorance might sound like a derogatory word, but just by the literal definition, just ignorance around the FedRant process. Um it did surprise me how how consistently I came across that in calls that I came on. And what's interesting is I don't know, I'd be interested to hear your perspective, Jason. I feel like now the ratio of calls that I have where I'm talking with clients, and they or someone on their staff is like, oh yeah, I've I've been at XYZ company, I took them through FedRAMP, so I'm kind of familiar with it, is so much higher than like five years ago. Like five years ago, you it would be rare to come across that. And now it's relatively common. So I think in the early days it was definitely a surprise of like, oh wow, I'm shocked how few people know anything about what is required to go through this. What you know, even something as relatively basic as like the difference between a readiness assessment and a full security assessment, and like a ready status versus authorized, like those sorts of things were just like really not understood by people. And so, I mean, again, yeah, a wealth of opportunity to just be that shepherd and be that guy to be like, hey, here's some of the basics, but you know, we can even go deeper. You know, based on what you're telling me, I think you know we should go here first and then try that. But yeah, I mean, that was the biggest thing I think early on.
SPEAKER_01I I yeah, I remember, you know, back to 2012 when when FedRAMP was was started, we were doing uh a FISMA private cloud for for Dell at the time, and uh that project became one of the first jab authorized IaaS services out there, right? So we were there from the beginning, and like the first four years was all about those first 30 or or so authorizations getting getting through, and um you know the IaaS providers kind of getting their accreditations, the whole idea of PAS was uh just being figured out and understood, right? And then that would become the foundation for the SaaS explosion that came like in 2016 and 17. Yep. Um, when things got so much more busy. But but yeah, I mean, I remember back in that time, like the average technologist that I came across didn't even know what FedRamp was, like they hadn't heard of it. Um and today it's totally different, totally different. And we go into a conversation, a lot of times they have somebody already staffed there or a program manager that's done FedRamp somewhere else. So I mean, we have the exact same experience there.
SPEAKER_00Yeah, yeah. It is interesting. Um, and now I mean it's not that people know the entire process every time, but yeah, there's a there's much more, and there's a lot more folks that, if nothing else, they come to it and they say, Oh, yeah, I've heard this costs a lot of money, costs over a million dollars, it's gonna take a long time, and I need a sponsor. They they know some of the some of the high-level basics at least.
SPEAKER_01And it's still we still come across those companies that that come across that federal opportunity or they hear hear about or they they otherwise think that their solutions are applicable to the federal space. Um, but they have that struggle of understanding that you got to be selling to get the sponsor. And and and you have to be um ready to a level where you're it's believable that you could get there, right? And I it's a very tight contention between those two things. And I I tell folks like, like, yeah, I get that you can't um you can't invest to get all the way prepared. Like nobody can can do that before they start selling, right? But but these things have to be a stair step. You know, you you gotta your your level of prep has to be right behind um your sales mouth and and like the money you're putting behind that.
SPEAKER_00Yeah, I agree. I mean, always, excuse me, chicken or the egg. That's what, again, I learned very early on that was very surprising, but that that's where it gets nuanced with every client to your point. You try to talk them through and figure out based on their situation, based on their sales conversations, based on I mean, it's a whole different conversation if they've been on-prem for years and their clients just like, hey, let's just move to the cloud. That's usually a much lighter conversation than, hey, we never sold to the federal market. I'd love to break into it, you know. So I so I want to get Fed ramped. It's like, okay, cool. We need to talk through this. This is gonna be a journey, you know.
SPEAKER_01Well, I I've even had the issue there where they they're used to selling to federal, right? But but it's uh it's an on-prem SKU or it's it's easy to host where it starts to eat into their ability to sell the cloud version. Um, I've got a customer like that that that that went through jab authorization. They have their their uh jab ATO, jab moderate. Um, and then you know, when they got rid of the jab path, they had to have five agencies that that to show demand. Well, they had been they had really got got their cloud authorized so that they could they could continue to sell their premise-based solution, uh, because a lot of the contracts were blending in that cloud requirement, right?
SPEAKER_00I see.
SPEAKER_01Um but it's it's been very difficult for them to be able to show that they have that demand um you know to stay in the marketplace. I mean, fortunately, that's that's not as much of an issue with this PMO um now, but they they sort of got over that hump.
SPEAKER_00That's what I was gonna say. There's so much we could get into. I don't want to jump too far ahead, but boy, the times are changing. So everything we're saying is already feeling antiquated.
SPEAKER_01Absolutely, yeah. We'll we'll we'll get there. I'm sure. I'm sure. Um so you you you you you talked about uh moving towards CMMC, right? Um what was that like? Because that that's such a different customer subset.
SPEAKER_00Um yeah. Good question. I think that is the biggest reason you hit on it right there. The the industries that are affected are just so different. And I I don't know that I was fully prepared for that initially until I again had a lot of conversations where I was like, oh, okay, like they this is a whole different sort of process for them, the way they operate is different. Um a lot of times there's not any base level of maturity or thought around cyber practices at all, versus if you're oftentimes if you're talking with somebody about FedRAMP, you know, they're at least familiar with, if not compliant, to SOC, ISO, you know, Hitrust, whatever. Um with CMMC, yeah.
SPEAKER_01I mean when you're dealing when you're dealing with the manufacturers, especially, you know, they they've especially the ones that grew by acquisition, it's it just runs the gamut. I mean a lot of the manufacturing orgs that we've done CMMC work with, you know, they've got antiquated machines on the on the floor that are that are on the network, you know, running Windows C E or I mean it's just uh it's kind of a nightmare.
SPEAKER_00I it's kind of the good and the bad, you know, kind of the intent of the program is like, hey, a lot of these things it seems like you've been doing you probably shouldn't have been doing, but then that's hard. That's hard to to change, uh especially yeah, a lot of these manufacturing plants, especially and and equipment. Big, large custom pieces of equipment, those aren't easy to just go buy a new one, you know. Um but in general, yeah, it was fascinating. I was I was excited by the sort of not not necessarily shift, you know, still still in the FedRamp world, but um sort of focus on CMMC that that wasn't there for a while as the rulemaking process was going through and um you know all the requirements were getting finalized and and all of the nuance around that. So it was definitely exciting um to sort of I don't know, sort of lead the charge on um what what is this gonna look like, you know, what what what do we need to offer to our clients and when and that and a lot of that was just based on again conversations that I'm having. Like I'm so grateful that you know I don't know, not a lot of people would say I love being on a bunch of sales calls all day, especially if they're not like the sales rep. Like I'm not the sales rep. But like you learn so much just by being on those sales calls and just hearing from so many different data points of clients. And to your point, in this case, a completely different industry. And I had to learn so much about what, again, what are they ignorant to about this process? What are they, what are their what are their preconceived notions that are maybe misconceptions that we need to make sure that we're addressing. Um, and obviously there was a lot of that in the industry in general with CMMC. You know, I made a I made an episode uh of my podcast that was very, very special, very specialty episode. It was more like a uh late night talk show thing around what is CMMC, and I likened it to uh you know, it had been the boy who cried wolf, so I think people were tired of hearing of it, right? Because for years it was like CMC's coming. Yep. And by the time we we were yeah.
SPEAKER_01We were involved in in the DFARS push back in 2017.
SPEAKER_00Right.
SPEAKER_01Um, so you know, we remember it from back then, and then we kept waiting and waiting and waiting.
SPEAKER_00Yeah, so by the time it came around, everybody was kind of like, I've heard that before, you know. Right. So it it created a need for an even bigger rush than it would have taken to be like, hey guys, I understand the hesitancy based on the history of this program, but here's why it's really coming this time. So that was interesting too, and that's what kind of actually nudged me into more of the outward-facing thought leadership role with the podcast and those sorts of things, too, was initially just hey, we need as an industry to kind of drive market awareness. And so the more people we have shouting from the rooftops and explaining things, the better for the entire ecosystem.
SPEAKER_01Yeah, absolutely. I I think the more, you know, and that's one thing I've really enjoyed about the past the past year. For us, a lot of it hinges around the the changes in the PMO and the transparency that's being uh pushed right now. But that that's the same reason that we went the media route and building our podcast channel is more people need to be talking about this. And we need to we need to be inviting more and more folks into the conversation uh just to drive awareness. But also to drive transparency that hey you shouldn't have to have uh an answer knower uh that that knows what these requirements mean. You know, the the stuff should be more approachable than that.
SPEAKER_00Yep, yep. Yeah, it shouldn't be some hidden away thing that that's hard to seek and find. And again, that's what I found interesting about FedRAMP at the beginning is it felt like that. It did feel like that. Like nobody had the answers and they were searching for them. And so I'm not saying that I had every answer and all the answers, but when you when when they were able to talk to somebody like myself or y'all who did have a lot of these answers for them, I mean you could just hear and see how valuable that was to them. Like, you know, I the best feeling in the world for me is when I get off a call and and people are like, I have been, you know, digging into this stuff on my own, reading on the website, I've talked to a few other folks, but that 30 minutes was you know, I I got the gist there better than I had in the last like three months or whatever. Like that's always my goal. So um, yeah, I I just I just love being able to be as helpful as I can. And that's why um, you know, when I when I do have something like, again, not to get ahead, but to like 20x, for instance, it's so rapidly evolving and it's and it's in such a state of there aren't, hey, here's what the 20x requirements are gonna be going forward. But we don't have that sort of stuff yet. You know, it's um so when I get asked those questions now from clients, you know, I tell them everything we do know as of today and kind of generally the direction and all that that I'm sure we'll get into. But I tell them, like, I I don't like being in this position. I like having the requirements, and I like knowing what it is, being able to explain that process. So that's something that I definitely enjoy.
SPEAKER_01Yeah, and and um it, you know, uh I'm fine with going straight into 20x actually, because we talk about it a lot and it it's uh it's on our minds constantly. Um but yeah, I mean it, you know, when I first heard that FedRAMP was changing all these big, big changes, especially moving away from the NIST controls, I mean, I think that that really kind of broke broke everyone's brains. Um, and still does to some degree because we're all still trying to to fit this you know, puzzle piece into the existing puzzle, you know, uh of the whole landscape, you know, D Fars and and uh CMMC and and Feder FedRAMP equivalency. Um, how are all these things going to pan out? So I I think a lot of the a lot of that's still to be determined.
SPEAKER_00Definitely. I I agree. Um just and that's what again, I think as far as current sort of misconceptions going back to that theme around you know clients, what do they know or not know? I think especially with 20x, it's it's that. It's a lot of people coming and like, oh, I heard about this 20x thing. Can you know what's the difference? Should I should I get 20x authorized or not? Um and they just view it as like a almost like like they would view categorization levels previously. I think they view it as like a oh, there's a low, moderate, high, now there's a new 20x offering. And I try to explain, like, no, no, no, this is a complete reimagining, right? It's flipping everything on its head. Like, we're looking to your point, we're not looking at NIST controls anymore, we're looking at these things called KSIs. They're still going through the pilot program on what are those actually going to look like? How do you assess against them? How do you automate them? What's the machine readability and how does that you know talk to each other? And so I think that that's just the general misconception with 20x right now is I think a lot of people just hear about it and they think of it as like an option that they can go get without understanding just how different it is and how much to your point it kind of shook up the entire way FedRamp had operated before.
SPEAKER_01Yeah, and and and uh it's funny, like like when when you look at the the landscape of the the players, you know, the people that have been involved in FedRamp for a long time, you know, companies and and individuals, it feels like there's two categories. There's like those who are who are just sort of like, okay, I'm gonna go do something else for a while, right? And then there's the the folks who are really leaning into it and and loving it. Um you know, from from our standpoint, I mean, we we chose from the start to to lean in, um, lean in on it and see where it could go because we we were ourselves really on behalf of our customers, just frustrated with where the process was. I mean, it felt, and this is something that was regularly said in the office here, that FedRAMP is broken. Um, you know, it shouldn't take 11 months in the finalization queue uh to finally you know get authorized after the agency's already uh given you their ATO.
SPEAKER_00Yeah. I mean, there they're to your point, in a lot of ways, regardless of what uh will or would be proposed to come out the other end, a shakeup was needed, and there were a lot of things that needed fixing. And so I I would agree. I mean, everybody felt that way, especially those of us really in the industry of just like, yeah, it gets frustrating to your point, especially on behalf of the clients. Like when they have especially those wait times that the PMO reviews used to take and things like that, it's like I'm I believe me, I am with you. You you're more frustrated than me. I get that because you're more, you know, it is affecting you more, but like I get it. I would be frustrated if I were you. And so, yeah, the the time, um the cost, obviously, the um agency, the chicken or the egg problem, trying to get rid of the chicken or the egg of an agency sponsorship first. These are all really, really, really well-intended goals. Um, and then now it's just, you know, hey, live and full transparency, we're gonna try to figure it out together as an ecosystem. And so that's what I try to relate to. People is like, we're still we're still in that figuring it out stage, right? So I'm hopeful as well, and and we leaned in early as well. We we assessed clients. Uh so for those unfamiliar, they did the 20x low pilot, right? So they went through a pilot program of um having uh a number of um OSCs go through, oh sorry, CMFC language, uh cloud service offerings, um, go through 20x low um in a pilot phase. We we were the third-party assessor for several of those. In addition to that, we have our own evidence collection platform called Ascend, our own software. We got it assessed, and it is 20x low authorized. So we have a unique standpoint that we've been on both ends, actually. So we have a product that's 20x low authorized, and we've assessed against 20x low. And then now they're obviously in the 20x moderate pilot phase, and we are assessing uh clients in in that phase as well. So yeah, we've we've leaned in as well, and we're like, hey, we're we're very hopeful as well. These these are fantastic goals to seek, right? In terms of improvements from the free previous FedRamp framework, and they're very open to feedback in terms of what this could end up being by the end of it. So yeah, why not lean in and give it a shot?
SPEAKER_01Yep. And uh, you know, the same with us. I mean, we we we leaned in early, we took our our platform, we we've been building platforms for years now. Um, coming from everything that we learned out of advisory, like all the motions that were required to walk customers through. We were like, well, we could build that a lot of this stuff into a platform, right, that's ready to go on day one for a customer. So we we built the accelerator platform out of that, and then a multi-tenant version called XP40 um out of that as well, and then some tools like Command Center that that are the interface to those two things. Um and likewise it gave us the opportunity to to take those through the low pilot and and the moderate pilot um as well. In fact, we just heard back from the PMO today that they didn't think that they needed to meet with us on our moderate. So hopefully we're nice uh that's coming through here real soon. That's great. But um, but yeah, I mean it it's uh it's exciting because probably like you guys, like we didn't really have a good opportunity to get to get an uh you know a certification or or an authorization before because we didn't have that agency sponsor. We were always being leveraged, you know, once removed uh from direct agency work, right? We we were um a provider for um you know a a um supplier of an agency and never directly for the agency.
SPEAKER_00Yep, yep. Yeah, and we kind of felt the pain of our clients for a lot of years there, right? Of like, oh, we don't have that agency sponsor. Yeah, and if nothing else, one of the biggest improvements for the new PMO and the new wave of this, even though the 20x program is still being finalized, those backlogs of reviews that we were talking about earlier, those those went away. So that was that was an immediate, nice uh sort of reprieval. Um, not having to tell people, hey, when we're talking about timeline until you're authorized, you know, here's what I would factor in depending on who you work with and what your solution is for how long it takes to get ready and compliant. Here's how long the assessment takes. And then they go, oh, right after that is my timeline, right? Nope. Add a bunch more months for the PMO to review it, right? So now we don't have to add in all of those uh unnecessary months. So that's always nice.
SPEAKER_01Yeah, I remember when I when I saw it was probably almost a year ago or right at a year ago, uh this being March of 26. But I remember seeing because I I would open the tab a couple times a week for the marketplace, and it would be the same, you know, in those three tiles of recent activity, they would be the same, you know. Yeah. Every day. And then all of sudden, oh, all three of them are new. And then the next week, oh, all three of them are new again. And I'm like, wow, what is what's going on here? Yeah, yeah. Things are happening.
SPEAKER_00Uh communicate what was happening, which is that's very true. For the longest time, it'd be three up there, and then maybe finally one bumps into that top three, but now it's clearing them in there as as they're assessed.
SPEAKER_01Yep. Yeah, but uh yeah, and and now you know, as we speak, I think it's uh the marketplace is like at close to 500, it's 499, I think. I was gonna say I was on this morning, it was 499, yeah. Yeah, and they uh Pete somebody called that out, and uh Pete chimed in and corrected them that we actually hit 500, but when we uh went when we did the FSI or the uh you know the security inbox uh test, uh somebody said that they were wanted to be delisted, so they went back down to 499. It's like they they threw a party in the office for 500 and then they had to roll it back. Take all the streamers down, save them for the week. Yeah. We'll party again next next week.
SPEAKER_00Yeah, well, it's it's still it's like again, it's rapidly changing so much that it's still taking me some getting used to. Like, I still have it up here seeing separately FedRAM20X authorized services, a number of those. Like it's it's still like you know what I mean. I'm still getting used to it.
SPEAKER_01Yeah. Um yeah, and you know, we're we're still in this uh I would call it just just a bit of a stasis almost where everyone's sort of waiting on the the final rules to come out. Uh, I think that they've pushed that back to June. Yeah, um, I believe. So a lot, I think I think the whole industry is kind of like, you know, just I agree. Couple couple more months.
SPEAKER_00Yeah, yeah, yeah. I think there's a lot of people like lining up at the start line and and industries, yeah, holding them back with the tape and saying, hang on, hang on. We need to uh figure out what what these requirements are gonna be. Um let's hold it on. But yeah, I mean that even that, that's not far away. It's a few months away.
SPEAKER_01Yeah, it's it's it's not far away. And I think we we know the broad strokes, and and you know, I I think that the the actual publishing of the the the final versions of the standards are will just bring things uh into a little bit more focus, you know, but the final picture looks like. So we're sort of building to that that um slightly out of focus pitcher right now, and that's fine. Yeah, yeah.
SPEAKER_00I would agree. It's it's it's more accurate to put it that way than to say, hey, we don't know what the requirements are gonna be, to your to your point. It's like we're not clueless. There's there's yeah, broad strokes, uh there's the direction is there, but you know what's gonna be written in the the final consolidated rules there, we'll see.
SPEAKER_01It's fuzzy math. It's not fuzzy math.
SPEAKER_00Yeah, which I'm used to from engineering, yeah, yeah.
SPEAKER_01Cool.
SPEAKER_00I know I know I I had us uh incidentally blow past a lot of CMMC because 20x kept coming up. So if there's anything you wanted to circle back there to to there, we we we could. I know you also mentioned equivalency. That's a fun topic. I was I was a three Pao C three pao. That's the fun cross of our world.
SPEAKER_01So yeah, I would love to hear more of your your your take on that.
SPEAKER_00Yeah, so I mean early on, once um again, CMMC was well.
SPEAKER_01Do we want to describe what equivalency is real quick? Just for the uninitiated.
SPEAKER_00So it goes back to DFAR's language, but then CMMC kind of brings it, uh brings the stick behind it ultimately now, now that organizations are getting CMMC certified. But the long and short of it is if you're a supplier of the DOD and you have uh sensitive information, controlled and classified information, and you are choosing to store, transmit, or process that in a cloud service offering, that cloud service offering needs to be FedRAMP, moderate, authorized, or equivalent.
SPEAKER_01Now that had been the language for a while, and really since since D far 7012, I think. Yeah back in 2016.
SPEAKER_00Yeah, and then it was I think 2023 when they came out with the equivalency memo. I'd have to pull it up and see exactly what it was.
SPEAKER_01But sounds right.
SPEAKER_00Then then they finally came out with um a memo because nobody knew what the equivalent, yeah. Is that a thing? I don't think that's a thing. Yeah, it looks like 2023.
SPEAKER_01Um definitely not a thing. It wasn't a thing.
SPEAKER_00Yeah, it wasn't like a determined thing. So it was very up for interpretation. Nobody was really giving that any leeway in terms of, oh yeah, you're equivalent. We'll pass that. Um so the DOD finding.
SPEAKER_01And then some of the bigger some of the bigger players like Microsoft were like, Yeah, our our our normal uh non-GCC offering is equivalent, right? Because we build it to the same standards as the audited environment. Yeah.
SPEAKER_00Yeah. And back then, who were you to argue that that wasn't equivalent to the definition? Yeah, exactly. And that. So the DOD finally came out with a memo. Um uh and and uh let's see, the title is uh uh FedRamp equivalency for cloud service providers cloud service offerings. So basically they came out and said, Oh, we understand, okay, we hear you. We need to define this for you guys. So this memo, excuse me, is still the de facto thing that's referenced if you're going for equivalency in terms of what is actually needed there. To summarize it, it's not a long memo, it's like three three pages, but just to summarize it, basically the long and short of it is you need to be compliant to the FedRAMP moderate controls. You need a FedRAMP 3PAO to come in and assess you and assess your compliance to all those controls, and then you need a body of evidence, which is all of the documentation, there's a whole list on there, but all the documentation around your compliance and your assessment proving your compliance, that body of evidence is what shows that you are meeting that FedRAMP moderate baseline and you are equivalent to FedRamp moderate. The one big asterisk or nuance that is different than if you're getting FedRAMP authorized, well, number one, you don't need a federal agency to sponsor you because you're not getting FedRAMP authorized, right? So that's one thing to mention that is still a big misconception. You do not get a FedRamp marketplace listing from getting FedRAMP equivalent. A FedRamp equivalent is just a body of evidence that you have accumulated from getting assessed, showing that you're meeting these controls. It's not involving the FedRamp PMO, it's not involving a federal agency, any of that sort of stuff. The other thing is, and it writes in there, basically you need to be FedRamp perfect. Uh there's no poems, no findings, right? Which was different. You don't often see that with FedRamp packages, right? So it's not a big stickler. Yeah, that's kind of the big thing. So we've been performing those assessments, yeah.
SPEAKER_01Yeah, I remember when that when the FedRamp perfect thing came out, and and and I was like, oh, okay. So for years, the PMO would laugh at you at your package, at your SAR, if there were less than 10 findings. And and now you're now we're saying that we want three POs to issue absolutely perfect uh SAR, you know, security assessment reports. So Yep.
SPEAKER_00And so as a 3PAO, we can with these, it's often counterintuitively, it's harder uh in some ways, right? You think, oh, I don't need an agency sponsor, I'm not involving the federal government. This equivalency thing will be just as easy, if not easier, but in that way it's kind of harder. Um, and as an assessor, these assessments can drag on a little bit because it's like, oh, yeah there's a finding here. Oh, okay, we want to remediate that. Yeah, we want to remediate that. It'll go into the report as a remediated finding, but uh, you know, or or so I don't know. That's that's been interesting and that's come up a lot as basically as CMMC has continued to ramp up, so has that because they go hand in hand because more and more organizations that have CUI and that store it into cloud service offerings are going for their own compliance and certification around CMMC. And as a C3PAO, if we're going in and assessing them, we're saying, whoa, you're sending CUI to that cloud provider. I don't see them on the FedRamp marketplace. Are they FedRamp equivalent? And so then that's driving them to go to these cloud service offerings and say, Hey, you need this FedRAMP thing. Uh they said equivalent is an option. Um, so that's what's kind of driving it. And again, for anybody listening, like you have the choice. It's authorized or equivalent, but for a lot of people, the authorized isn't an option, right? It's not really a choice. So they go for the equivalency standard.
SPEAKER_01Yeah, yeah, because they can't get a sponsor or you know, yeah.
SPEAKER_00Like I don't even sell to the federal government. I don't intend to. I just sell contractors that sell to the DOD, right?
SPEAKER_01Yep. And uh, you know, so this this is where there is some friction, I think, with with uh um 20x and the approach. I mean, uh, what's your take on that? Or or if you're 20x certified, let's say at by the end of the year, you know, will you be able to support these these um you know Dib uh defense-based customers?
SPEAKER_00Good question. I'm gonna say take what I say right now with a grain of salt that I don't think anybody knows for certain. My take, I wish I could say yes. I would love that. Because that the other thing about the FedRAM equivalency memo coming out is I think we were all kind of like, man, that's a really high bar. Couldn't you have chosen a lower bar? Like, that's a higher bar than the organizations that have the CUI have themselves, right? FedRAMP's a beast. So yeah.
SPEAKER_01I thought it was a missed opportunity not to let those entities also get CMMC level two. Um yeah.
SPEAKER_00I think they they just my take they just plainly looked at it as hey, there's already a standard for cloud service offerings, and that's called FedRAMP. So why don't we just have them do that?
SPEAKER_01We're just gonna defer it to that, yeah.
SPEAKER_00I I don't know. But so back to your question. Does 20x so the one thing that that is stated uh in the DFARS language and CMMC is FedRAMP moderate authorized or equivalent. So we have to look at moderate. So then the question is does does FedRAMP 20x moderate meet FedRamp equivalent? Uh I would say it does not meet equivalent because the equivalency memo basically outlines um let's see. Um so basically they'd have to rewrite the memo in my eyes, because a lot of what they list is in order to prove this, you have to have a FedRAMP recognized 3PAO and present the following supporting documentation to the contractor as body of evidence.
SPEAKER_01That's the BOE, the body of evidence.
SPEAKER_00And then all of that body of evidence, 20x doesn't produce those.
SPEAKER_01Right.
SPEAKER_00Yeah right? That's a that's a that would be the problem you run into there. Um, but then the other question is okay, that's the equivalency side. Does 20x meet the definition of FedRAMP moderate authorized? I would also say no, because they're working through the the nuance of this now with distinguishing, you know, at first they were gonna break them off, now they're gonna call them all FedRAMP certified. Um, but they're they're fully transparent that they're gonna list 20x authorized products as separate because it's a it's a separate process, it's a separate level of rigor and controls that you met. Again, to our point earlier, it's it's a complete reimagining of how how secure are you and how are we proving that you're secure. So I don't think that that would meet FedRep Moderate Authorized because they're they're even denoting FedRep Moderate 20x authorized as a separate thing that I don't think would meet that.
SPEAKER_01Right. I mean, there's there's definitely there's a lot of open ended questions, right, about about the go forward of the ecosystem. I I think you know what what what we've heard very clearly from Pete is he's he's laser focused on FedSiv and providing a pathway to get tools into the hands of FedSiv H.
SPEAKER_00agencies uh and and federal employees and and you know that's a noble goal it's very important um but I think it leaves a lot of you know open questions to the other other parts of the industry that sort of hinge around um uh around FedRamp um because I I think uh I think in earlier imaginings of FedRamp it it was intended to or not intended it was seen or interpreted to be a broader solution that other things could stack on top of right where where Pete's been pretty clear that that might have not not have been the the the best assumption yeah yeah yeah to your point um not just around this but you know talked about Fed Civ like that's often something that that that comes up too in these conversations of of clients saying hey should I do 20x or not I'm like well who are you talking to and off and often they'll be like oh Air Force Air Force is talking to us I'm like who knows at what point Air Force will even look at or consider 20x because the focus is on civilian agencies right now. So there's also that nuance of like well let's just not let's not just say federal government what agencies are they in the dood or are they in civilian because you know we we've been familiar with that historically because those were different pathways going through DISA versus FedRamp and all that but now it's the nuance of oh if you're looking at 20x okay we have to look at what value that gets you based on who you're trying to sell to still right yeah and the dod is a totally separate beast under totally um you know separate laws right and regulations so it it's very difficult to draw comparisons and even the overall size of the dod I mean um you know a lot of customers on the on the Fed Civ side are that are that are more attuned to Fed Civ.
SPEAKER_01I don't think that there's the realization that the DOD dwarfs all of all of that fed Fed Civ spending and opportunity. And just because you're you're doing one doesn't mean it translates well to the other. Yeah that's that's something we've learned you know taking folks through DISA but but you also realize that there's a whole other realm of software providers out there that are doing you know direct dod RMF in in a a uh dod cloud somewhere in cloud army or in air force uh space force is is really big um I mean really all all the components are are you know have a very significant presence beyond you know this is kind of small in comparison.
SPEAKER_00Yeah yeah yeah it's very true yeah so you know there's all these sorts of layers that again that's why it's really important on a on a case by case pace basis to sort of dive into like okay as a CSP like what all are you actually trying to do right is it just pie in the sky oh I'd love to sell to everybody or do you have a strategy and what is that strategy is it hey I do rely on a lot of DOD contractors okay that Fed rent moderate authorized or equivalent thing is going to come up oh I want to sell to Fed Civ specifically okay cool let's talk about what the options are maybe look at 20x as an option do I only have one opportunity and it's with the Air Force okay we don't even need to talk about 20x right so yeah there's a lot of nuance to like your specific situation your specific strategy yeah and we we've we've had cloud providers that want to get in the displace but they get sucked into you know whatever component that they're working with no no you're gonna put that in my cloud over here um and you know there goes there goes that but yeah but yeah well awesome anywhere else you want to take this or uh are you ready for some kind of lighter fare well we can lighter fare it up if there's lighter fare to be had yeah I got we do the lightning round kind of thing you know where we uh just do quick answers.
SPEAKER_01Amazing yeah so during during your your your your work day are you more of a kind of a coffee guy or inner energy drink guy I have had coffee a handful of times in my life and I've had an energy drink maybe a handful plus one of times in my life.
SPEAKER_00So nice I guess neither is the answer. So you're uncaffeinated I'm mostly uncaffeinated I've been getting into tea a little bit you know it's not a lot of caffeine um I'm generally sensitive to caffeine like I it it it just takes a little bit for me to go a long way yeah nice yeah I crossed that threshold like years ago which which side you're uncaffeinated oh I I'm I'm always caffeinated okay yeah yeah yeah yeah at least during the day I kind of envy you I those I like I kind of wish I could I see people that are like super caffeinated and they're they're on it and I was like I would be shaking in the corner I'd be like unproductive nice all right uh you know out of FedRamp or CMMC like which one was your favorite my favorite what's what was your fave oh probably you know I'd probably go with CMMC just because it was so I don't know it was interesting to to to be there through the whole process I guess like I wasn't around for the the beginning of FedRamp um that makes sense yeah yeah but for CMMC I was around through the whole sort of beginning of it all and so I think for that reason it's got a more special place in my heart um than and maybe maybe I would have for FedRamp if if I was in the industry back then.
SPEAKER_01Yeah one thing I wondered earlier when when we were talking about your background was did did you feel like you got connected with more of your engineering roots in CMMC by any chance? Because I know like some of our CMMC customers they do they do some cool stuff engineering related.
SPEAKER_00There are a lot of engineering firms and things like that and and just the manufacturing floor there's a lot of engineering going on um but not really dealing with a lot of them more yeah yeah um dealing with a lot of those companies a little bit more and I could kind of relate and understand what they were doing and I talked to like PCB manufacturers sometimes print circuit board manufacturers and I was like my people uh yeah so yeah yeah it was maybe maybe it was a little bit easier for me to connect with uh the customers and what they were doing yeah well I I remember back during the 7012 push when you know DFARS was being enforced in 2017 like like we we did a big ad campaign and we we probably talked to more uh Dib customers than than ever than we ever have and I remember being amazed at just the level of like there's a company that that just makes foam insulation for uh some kind of of military plane like and that's what they they built a business doing that um yeah anything you can imagine that the a little bolt or it is there's probably a company that that just makes that bolt to your point it opens your eyes up like you're obviously aware of how many companies there are and how many different pieces of things there are that it that it takes to have all the stuff that we do and have today but it it really becomes apparent when to your point you're talking to like these little niches of niches of niches and you're like oh wow you've built a very successful business on just that little thing that's fascinating yeah yeah yeah that that was a a big epiphany for us uh worst acronym in federal cybersecurity do you have one like top of mind uh RAR came to mind readiness assessment report I don't know why I I think just because it sounds funny RAR and um also because I've always had a big issue with it just because it just creates so many misnomers and miss misconceptions around what it is and what you need to do. And so like for us to do a readiness assessment and for you to be ready I just think that's super unclear to people they're like oh I'm ready what does ready mean and so there's a lot of nuance of like okay a readiness assessment is it is an assessment and we're just assessing your readiness for XYZ and you get listed as ready showing that you have some core capabilities so I don't know I just don't think it's a great term and it sounds kind of funny. So we'll go with RAR.
SPEAKER_01Yeah it's it's not a great idea to use like a common term that gets thrown around in general conversation as a structured status.
SPEAKER_00You know like yes exactly how do I get ready I gotta get ready like you mean like the actual ready status or you just mean the formal read this yeah exactly or like readiness assessments like those are things in the cyberspace independent of this formal readiness assessment for FedRAM so yeah you get it.
SPEAKER_01Yeah you know Pete going to the uh the the FedRamp A, B, C, and D I think is is way heads or tails better than than a status like ready. Yeah I agree.
SPEAKER_02Um I have one oh what's yours Caitlin give me producer Caitlin has one producer Caitlin is a comedy nerd so I want to know who your favorite comedian is oh with your background I gotta I know it's a very good question.
SPEAKER_00You know who I'm gonna go with because the Oscars just happened I love Conan Conan O'Brien Scott yes absolutely job hosting the Oscars and I love that they let him be him and do like weird sketches um yeah that are not necessarily more mainstream on more of a mainstream stage and I love that he leans into it. So Conan's been around for so long but he's just he's always been his style of comedy the whole time I love it. Absolutely I got to see him in New York it was phenomenal and it feels like he has really good relationships with the other comedians which I love likeable yeah I don't yeah I I couldn't see him like getting into a room with another comedian and like that not ending with like oh yeah they're they're buddies now even though his podcast is the whole premise is Conan needs a friend and he doesn't have friends so there's some irony there. Yeah okay thank you.
SPEAKER_02I love that question.
SPEAKER_00Yeah so for the other comedy nerds um do you want to plug any of your uh comedy or websites or anything oh my personal stuff well I've been working on this animated comedy series for like eight years because you know when it's not a full-time job it takes eight years and you only have a little bit of time to put toward towards it. But it's called Superdudes with O's S O O P E R D O O D S. And we're actually premiering the pilot episode uh this summer July 16th so on YouTube. So if anybody's interested in like adult animated comedy that is something that me and my team have been working on for a long time that we're very excited animation if you don't know is super expensive like insanely expensive. So we we ran a crowdfunding campaign a few years ago to raise some money to uh try to get just a pilot episode animated and so we did that and now it's gonna premiere this summer in July on YouTube.
SPEAKER_01That's awesome. Very cool.
SPEAKER_00Yeah yeah yeah very excited and uh what about your uh your your work podcast mostly compliant gotta check that out so about a year now I guess I've been doing that one so I have on different uh guests in the space early on it was very CMMC focused uh but now starting just because CMMC was like the hot topic everybody had so many questions about it and so many misconceptions and those sorts of things and uh now starting to talk more FedRamp especially as 20x is becoming more and more of a thing and people are having more and more questions around that. So check out mostly compliant you can check that out like anywhere you listen to stuff you can check that out on YouTube as well. And um I have like I said a specialty episode if you're one of the comedy people who like comedy as well and you're in this space I think you'll appreciate that episode I did my own like late night um uh John Oliver type show on what is CMMC uh so you'll be able to find that on YouTube as well. Awesome cool well Matt thank you so much for joining us today we really appreciate it thank you this was awesome uh I loved getting to talk about uh my background a little bit more love the lightning round uh and I thought it was a great conversation I appreciate you um and just yeah always good to catch up whether it's on a podcast or or not so I appreciate it.
SPEAKER_01Awesome thanks