uh thank you john uh good evening everybody uh i must say you're quite a brave soul to want to know about fed ramp and uh for all of you good people staying late and you know tuning in to listen to me about fedramp so i must commiserate with you and appreciate your enthusiasm and willingness to talk about government and compliance and fedramp so kudos to you for that uh john very thank you very much for that kind introduction um what i what i would like to do is sort of briefly walk you through a presentation i have to help organizations sort of understand some of the nuances in doing business with the federal government in particular i must tell you that one of our fastest growing markets is actually the bay area um i think we have helped over 12 companies at this point uh get through the you know what we call the you know accreditation process or get through fedramp and um that trend seems to be accelerating because a lot of the innovation um and new solutions that come up in the bay area are what large organizations want so um obviously um you know there's a lot of new stuff happening in your neck of the woods and so i'm very excited to have this opportunity to talk to you let me try and share my screen hopefully you'll be able to see it in just a second so what i'll do is sort of walk you through a brief presentation about fedramp uh and what it means and especially in the context of cloud so i mean really for starters fedramp is for all intents and purposes a compliance program it stands for the federal risk and authorization management program it's run by a government agency and it's really designed to help commercial organizations uh startups sas providers uh pass platform as a service providers basically get the stamp of approval such that they can then essentially sell their services to a government agency and the government agency that they're doing business with is assured so you know for want of simplification just think of it as a good housekeeping seal of approval uh as a certification from a particular agency so that's what i'll talk to you a little bit about again i'm gp i'm the principal and founder of stack armor i've been in the dc metro area at this point for almost 25 years and again almost 15 of those uh 25 years of uh in some way shape or form worked with a federal customer or agency so um again i've had the privilege of helping a number of these government agencies adopt cloud i did my first cloud migration in 2009 for the white house and again um the cloud is a sort of a different uh way of hosting data so it has its own nuances from a security standpoint and obviously federal agencies have some of their unique challenges so um i'll talk to you a little bit about what fedramp is and then more importantly why should you care and you know what are some of the nuances uh please feel free to you know ping me with any questions again i appreciate the opportunity to be here in front of you today uh we've assembled a good team uh here at stack armor we've been uh privileged to be growing pretty fast so martin rieger he is a former navy vet he's our chief solutions officer has done a fair amount of work in the compliance space terry grogan he's a compliance architect he's a former air force vet again has done a lot of work with compliance security and cloud boomi is our compliance director she's also associated with the government so again we've assembled a pretty good team here that understands cloud security and compliance and so we bring a lot of that expertise to our customers so really quickly a little bit about stack armor we are headquartered in the dc metro area we are primarily a aws shop we've again done a fair amount of work in the aws engineering architecture particularly in the context of compliance and security again i've had the privilege of seeing strong growth and again it's a testament to some of the work that we do around compliance so again we bring sort of the compliance angle to cloud and security uh so really quickly um i think we touched upon this a little bit uh so again as i briefly mentioned the the covet crisis um currently is accelerating a lot of need for innovative solutions i think right now we have over six companies uh i think four of them from the bay area uh that are providing solutions to the government for example some of them are uh in fairly diverse areas so we have two or three companies that are in the area for example covet testing so they have a solution where a member of the department of defense or a federal agency can go in and get tested and their uh covet test results are required for you know performing whatever work they do uh there are other innovative solutions for example for notifications so for example um if in a building there is somebody who has covered or something and they need to go in and have a need to go in and communicate to people within that building so lots of interesting solutions coming up and again a lot of that innovation as i mentioned is coming from the bay area and so really uh really the subject of my talk is uh to share with you some of the nuances of compliance i mean a lot of uh folks in the the startups that we see and the solution providers that we see they have no trouble with aws they have no trouble with security it's just that compliance piece that sometimes trips them up and unfortunately when you do business with the government there is a compliance and documentation component uh end to it so really uh again uh what i want to do is talk to you a little bit about fedramp talk to you a little bit about what are some of the nuances and hopefully answer any questions you have so really why should we talk about fedramp so really as i briefly mentioned we we are seeing a huge growth uh in demand for cloud by federal agencies uh it's forecasted to be almost a nine billion dollar market just for cloud services alone um the federal government spends about 80 billion dollars a year uh uh uh cloud services sorry in it in general uh of which uh about nine billion now is uh cloud and so there are certainly you know huge segments of the agencies that are increasingly growing for cloud services especially driven right now with the pandemic where you know remote access solutions um digital solutions are really really accelerating in terms of adoption by these agencies and so really while the market is great but again the fedramp compliance program is as i briefly mentioned a security program that is required so again an agent an agency can demand to review and see your security posture and so some of the challenges historically that have held back startups from pursuing this program has been um just the sheer cost associated with it um so you know typically you might hear stories about you know it takes a long time 12 to 18 months um it costs a lot of money you know one one and a half million and you know from a startup standpoint for from a lot of commercial organization standpoint there is high business risk because you know the results are not guaranteed and you know it's sort of a process in dealing with the government and so these have been some very common challenges and so that's where we from the stack armor standpoint saw an opportunity to go in and streamline and sort of focus on this niche area in helping organizations meet some of these challenges and so the way we have done that is we've basically built a unique sort of solution that combines consulting services along with it and automation or tech with automation and documentation so we've sort of tried to create a solution where we're able to go in and solve critical problems so typically when we engage with an organization and let's say you're interested in exploring doing business with the federal agency then roughly these are the kinds of topics that will come up and that you'll have questions about so for example one of the things that comes up right away is you know can i go in and host in my regular commercial east west environ region or do i need to get a special um enclave which is just for the government or do i need to host in govcloud as an example so i'm sure you guys are aware aws has the govcloud region which is a separate region from the commercial east west and then of course you have the east-west regions and so the first question is you know where should i host so the answer to that is it depends right so if you have again different kinds of data so if you're you know let's just say you know hosting data about missiles um or you know other sensitive defense information more than likely they will demand that your data run in a govcloud environment because it has itar compliance requirements as well as u.s citizen only access things like that so again depending on the nature of your solution the answer could depend on where it needs to reside that's that's a common problem that comes up the second one is again what's called the information categorization or the risk categorization right so for example again uh if you're just hosting um research information uh then perhaps the security categorization from the sensitivity standpoint is low so again the cost could be lower and sort of the threshold is lower but if you're again hosting more sensitive information again the nice thing about this program is um it's you know people don't just make it up there are very very specific um thresholds uh with which you can sort of understand where you fall and you need to go in and again that drives your budget that drives you know potentially the complexity of your compliance journey etc but again you need to be able to go in and find out you know what is the nature of data that you're hosting and quite honestly this is not necessarily something to do with the government probably if you're doing it for your commercial customers anyway it's probably something that you do in some way shape or form this just makes it more specific um and has sort of a a method behind it in terms of precisely categorizing that there are other nuances one of the big pitfalls um that commercial companies run into a lot is um compliance with encryption requirements so a lot of commercial services uh they don't uh pay as much attention to the specific crypto modules that are being used in your solution so we have to go and make sure that throughout your stack any software any operating system any vpn as an example that you are using has a fips validated compliance uh certificate associated with it and this program is run out of nist so again there is actually a database so if for example you're using a vpn and that's basically supposed to encrypt data in transit uh from you know from your users to the cloud as an example then you have to be able to log in to this website and demonstrate that certificate that says that that encryption module is certified for use in a government system and these kind of things they trip up a lot of organizations so again that's where we help go in and highlight these kind of issues early on uh there are some other specific nuances on what's called the accreditation path um again i won't go into that a lot of detail um uh again again as you're just like anywhere else um as you navigate the journey uh there are certain nuances on how you can go in and get a credit uh or you know go through the certification process one of the unique things about the fedramp program unlike any other certification program is um you know in most other programs let's say hipaa um or pci dss or you know iso or others uh it's a commercial to commercial arrangement right so you go in and pay somebody um you hire an auditor they come in they give you the seal of approval you're good to go the fedramp program is the only program where no commercial organization can give you that certification it has to be given to you by a government agency neither us nor anybody else can come in and we can prepare you but ultimately it is a government agency that has to give you that certification which makes it a little bit unique a lot of questions around you know how much time will it take how many resources do i need what kinds of people do i need one big question that comes up again and again especially in the bay area context is the use of offshore or international resources so in general for production systems you cannot use um offshore or non-us based resources so again it's uh conus or oconus only so again that is where certain organizations have to tweak a little bit either their support model or they engage with service providers like ourselves who are able to fill in that gap either on a permanent basis on a temporary basis again change control so once you go through the accreditation process you know you know a lot of startups and you know organizations are launching new features quickly uh they're innovating and so as long as you follow the change management process which is well laid down you have the ability to go and it's not a static program so again how do you do that what are some of the nuances and rules you have to follow again we help organizations basically walk through some of that of course budgeting how much money do i need it's not a one-time certification and you are done there is an ongoing continuous monitoring program that you have to budget for these are again some nuances that are associated with fedramp and then finally sponsorship obviously as i said you have to have a government agency sort of sponsor you so again how do you find that agency what's the right fit what might be some pathways so again a mix of technical business and compliance issues those are typically the kinds of questions you will get if you're pursuing a fedramp accreditation so again this is a little bit of what we have done um again i mean those of you that are familiar with amazon i don't think this is anything spectacular but essentially what we have done is taken a common pattern of delivering an aws based landing zone and basically attached to it in sort of a sidecar fashion a built-to-purpose security system that directly maps to the security requirements that fedramp requires we've coupled that with documentation i'll show you some of the documentation requirements um i think this is the part that most organizations hate um yes there is um a non-trivial documentation burden but the beauty of this documentation is it's fairly comprehensive and once you do this with this particular organization or for this particular program then every other certification whether it is talk to hipaa pci dss or iso or any other certification becomes a piece of cake because by far this is the highest benchmark to cross but once you do that then you're good to go uh pretty much for any other compliance program and then finally you know we also go in and provide sort of continuous monitoring services so for example you have to go in and uh there are uh there are 58 specific requirements that have to be followed on a daily weekly monthly quarterly basis um and reports have to be produced that's why i said it's not just a static one-time piece and again for those of you that are running cloud services today this is nothing new uh it's just that you have to go in and do it in a particular way and produce the output in a particular way that the government is looking for so this is sort of our solution threat alert and again our goal has been um and i think we've been pretty successful with that is to reduce the time and cost uh by about half um and so i think we've been pretty successful we work pretty closely with the amazon channel um and again you know we've uh i think at this point done almost 15 plus uh atos with different organizations um again standards are a big deal right so um you know i talked to you a little bit about fips from an encryption standpoint um cis benchmarks are a big deal i know a lot of commercial companies have started using them so there's a lot of awareness about that but center of internet security it's interesting it's the only standard that's actually mentioned in the fedramp guidance with regard to use of specific benchmarks there are other programs cmmc if you're a department of defense contractor you have to follow that of course you know of asp from applications and web applications security scanning so again we've sort of packaged all of these services when i talk about security services so you know really you know again you don't have to use these tools but when a system has to be fed ramped you have to demonstrate the capabilities that are shown on the left hand side under the security services column i need to be able to have for example one of the vulnerability scanning web vulnerability scans if i'm writing a web application have things like hbss host-based security services and so this is where none of this as you can probably see is rocket science but i think bringing it all together making sure that it's there and it is fips compliant and it has things like mfa enabled um with you know again accredited services those are some of the areas that people need help with and so that's where we have gone in and built a lot of the engineering and put it in place i'm sorry was there a question okay um so again uh this is sort of the security system that i was talking about that sort of attached that we attached to a customer's account or vpc um yes so there is a documentation so this is the list of documents that need to be produced for a fedramp system the good news is there are really well defined templates for that and again the fedramp.gov website i think does a pretty good job in you know sharing some of this information they have good guides again they have done a really good job in trying to help and simplify a complex problem and again there has been a lot of push from the agency's perspective to help startups um to help companies sort of engage with them and you know sort of demystify this process and they're very welcoming of questions you know and uh clarifications uh especially from startups because again they want to see that innovation come into the government ecosystem if you look at some of this i mean none of this is actually you know should come as a surprise if you're building out a large um service and you are going after you know let's say regulated customers then some of this documentation is something that you would probably have no matter what right and so again a lot of times though this documentation set can be a little overwhelming simply because there are very well prescribed templates and you can't deviate from those templates one of the things we do again in terms of our acceleration because we have a predefined security system we are able to go in and pre-fill these templates so the customer just has to focus on a specific area which is pertaining to their application so that's how we make things a little bit more streamlined so this is sort of a quick view of of the different security controls not to sort of phase you out but essentially just to give you a view on how some of the nomenclature is structured these are what are called security requirements or you know what we call controls um the way to read this chart is from top to bottom left to right um so you know those different abbreviations are basically control families so for example ac is the access control family a t is audit and training uh sorry is training au is audit um cms configuration management and and on and so against each one of those disciplines or control families there are very very specific requirements uh that have to be met and so this again assuming uh almost 80 percent of the government systems are categorized at what's called the moderate level so in total there are about 325 security controls uh and the nice thing is that you know again um if you use a service like aws then you know you get almost 43 plus controls uh out of the box and a lot of the tooling that aws offers in the context of the shared responsibility model enables the ability to go in and meet others so again all this color coding says is in order to try and streamline this process we help the customer meet over 50 of those controls and try and minimize the burden on what they have to fill out i mean one thing that's inescapable is um that's the black part uh ultimately it it is a system that belongs to you the customer uh you know the sas provider and so your policies your procedures um no matter what have to exist so we can help you there but um you have to provide them because the government is assessing not just the technology but also the organization behind the technology and so that's why again this program is a little unique in that regard so then we basically talk about controls coverage right so i walked you through a little bit of the matrix so again uh if you use a cloud service like amazon uh the nice thing is you get certain amount of controls we we overlay those controls and again our goal is to get the customer to the finish line which is what's called an ato an authority to operate and again we deliver approximately 226 of those either fully or partially um such that we can go in and help the customer get from that number into the finish line so obviously there is a fair amount of work that's involved to get there but again that's why i made that comment about you know a net 40 reduction in cost and time uh because there's still work to be done so we've sort of developed a process you know to help customers so again um i'm sure a lot of you are already familiar with this you know build a landing zone with all the different security configurations you know that sort of thing build out your security system um make sure you've got the policies procedures the documentation to match your design harden the environment you know use cis benchmarks um you know remove any unnecessary ports libraries things like that do penetration testing do vulnerability scans um and then you know you're basically ready for an audit and then you know once you pass the audit you get into sort of the continuous monitoring so a fairly sort of streamlined process um that is not that difficult to achieve if you kind of know what you're doing so um along the way again we are a startup as well uh given that we have done this for a fair amount of time we've also built some proprietary ip that makes some of this process simpler and so that's really a competitive differentiator for us where again we go in and deploy these solutions within the customer's account so threat alert is our security operations and alert governance portal so it collects the security data which is then um optimized for reporting for compliance so it's not a real-time solution or anything it's to help meet the compliance requirements similarly ops alert so um if i get a chance i'll show it to you but one of the things you have to continuously make sure is that the environment that we are monitoring is constantly compliant right so it's not just a one-time thing so i'll show you a page not every amazon service is um you know fedramp compliant as an example so i want to continuously monitor and make sure that the services are compliant and we do that using um opsid so this is to sort of just give you a quick view of some of our current uh projects again there's a significant amount of demand both on the educational sector right now um you know federal agencies healthcare so broad spectrum so again we do offer some solutions to help startups in particular sort of take on this difficult journey a little bit and so again please feel free to connect with john or send me an email if you like or look me up on linkedin what i want to do is just briefly walk you through some websites that i think might be useful to you so this um is um let me try and get this thing so this is a web page on the aws website it's basically the services in scope page it's something we visit you know ten times a day uh but as a briefly telling you this is sort of um you know the chart that shows the different services and so this is the fedramp program and then if you're doing work with the department of defense then this is sort of the area that you want to look at but if let's say i'm going for fedramp and you know if somebody says well you have to host in govcloud then the first thing you want to see is that all the services that you're using are they in this list or not right so that's the first thing is you want to go and make sure that you're only using fedramp accredited services there are a lot of misconceptions in this area so for example some people think that if something is running in govcloud it automatically um is accredited and that's not the case govcloud has a number of services that are not accredited so for example amazon batch being a good example um it's there in golf cloud but it's not accredited so accredited and the govcloud is not the same thing so and as you can see there are services that are not even in govcloud right so you want to make sure that whatever your architecture is that you're able to see it so this is another good example so you know eks right now is obviously pretty hot and so it is not compliant right through the compliance process that's what this says so again you have to factor that in and again you have to have that conversation and sort of and some of this this these compliance elements can impact your architecture so again you know this is sort of a good page to bookmark if you have an interest in amazon does an amazing job in keeping this up to date and then again um you know dod uh is a slightly different beast um again as you start to sort of um you know look at the compliance programs there so again this is a good site for you to um sort of bookmark and see if this makes sense to you and you know sort of start to do some of your research and then of course you know the fedramp.gov website that's a great one as well if you're looking to do some research there are a couple of things i recommend one is obviously the resources section so they have a number of documents here that you might use for find useful so um you know this sort of gives you a lot of background if you have trouble sleeping you can download some of these and start reading them but again as i mentioned the the fedramp office does a good job in collecting information and trying to share it with you um i think building up that basic brand of knowledge i think is great um and i think what's interesting is um just one one thing that uh to to pay no note to is um this fedramp marketplace is a pretty neat um and unique thing um it's the only service that i'm aware of that actually does an element of marketing for you obviously there's a pretty significant investment associated with it but once you are there then you'll be amazed to see how many people visit this website and they just buy products and solutions by looking at this um list here so you know the fedramp pmo has done a great job in listing this so excuse me this gives you a view of the different kinds of solutions so you know um again if you're entrance in the in the in the security space qualis is a great software company um they have over 66 authorizations um outside of what we call the hyper scalars amazon azure quality has the highest number of um uh con you know uh atos it means an agency consume them so again you can get some nice competitive information if you're looking um at either you know gaps so if you to go in and look at the kinds of solutions that are in here look at the competition things like that this is an amazing resource and what we are finding is we for example just did a project for the university of central florida and they just came here and if you were here then you know you were sort of deemed as viable if not then so it's not just for federal but a lot of public sector or education oriented customers use this a lot so we're seeing a lot of positive benefits in sort of getting listed here so again um i think it's a great resource you should check it out you know for research purposes etc and then finally this sort of a quick demo of our compliance dashboard as i showed you so this is again you know we we run this inside the boundary it runs within the customer's account so it allows us to go in and monitor the different kinds of services that they're using and things like that so again it's a pretty comprehensive program i know it can be a little daunting but hopefully i gave you a little bit of a tidbit on that john that's sort of the end of my prepared presentation um happy to answer any questions um clear any doubts revisit anything that i might have covered thank you very much girl um that was an excellent presentation why i got to see that especially it's interesting to see the marketplace for fedora um one by the world itself i opened the floor to the questions uh if anybody has any questions please ask i see there's a comment can you please share the web links so there's a question can you share the weblinks how do you plan to do that if you were you can give it to me and i can uh post it on the meet up or you could have clicked on me if and how has fedramp changed since it was first conceived i think that's a great question so i've had the privilege of working with this program since its assumption inception 2011. i think the program uh it uh it's changed from the perspective that um it was a pretty unique program in the sense that uh it wanted to streamline the process of you know this security accreditation and so the big thing is uh you know it sort of started off initially with you know just like any other government program it started real slow um you know a lot of agencies were not even even sort of following it so in other words um you know uh you would have organizations that invested in the fedramp ato but then you know the agency that would sort of um uh talk about you know this accreditation won't accept it um and so there was a lot of back and forth between agencies and or commercial organizations so i think the biggest thing that i would say is at this point in 2020 um the program is very well respected and very well established if any agency wants to go in and buy a cloud service and if you you know happen to be on a call with a government person i think the first question they're going to ask you is are you fed ramped and so i think the biggest thing that i would say that's changed is the acceptance of the program and the value that it provides and the nice thing about that then is it actually helps reduce the overall cost for customers because you know otherwise if you had sold to let's say the air force then they would have had a separate set of compliance requirements if you sorted to the navy they would have another one and so by using fedramp and the sort of dod flavor dod ccsrg you're able to just do it once and then it's acceptable to both so i think that's sort of the big change um great question okay thanks uh the next question how does this product handle canada region like if i have aws setup in canada then can you help us in compliance like p-i-p-e-d-a uh yes um so threat alert is designed uh to meet any kind of a compliance requirement uh because you know what we've found is uh we are based based on the nist sp 800-53 baseline and and if you read through it it's really not something special for government it's you know what if you were designing a system for real that you know met different security accreditations which is the uh requirement specifically to you know serve these compliance programs you would do those things right you would implement a firewall you would put in in place encryption this just helps us do it in a systematic way so i'm not familiar with pipe da myself but i'm happy to you know engage in a conversation with you but this compliance standard i mean nist is um the canadian government um has uh implemented a a canadian government-wide standard and that's also based on this so i i i believe that the the same set of security requirements would help you in any canadian compliance standard as well okay next question can you discuss cmmc please discuss how to accelerate cnmc2 questions that's a great question i unfortunately don't have my cmmc slides but the interesting thing is um think of um cmmc as um you know depending on uh you know your point of view think of it as fedramp's little brother or little sister basically it's a new cyber security maturity model that has been basically created by primarily the department of defense to go in and secure the supply chain you know a lot of what was happening is as you remember from the target breach uh the security breach is not necessarily uh you know when you're looking for sensitive information you're going after the weakest link and so a lot of times it's you know the third party supplier so let's say i'm after a particular sub design or a you know missile design then i might necessarily not try and attack the dod but i will attack you know the small company that manufactures the you know particular sensor or whatever it might be so there have been a number of those kind of breaches and so in response the department of defense developed the cmmc program which is approximately 150 to 200 security controls which very roughly map back to fedramp so you know fedramp is the high motor mark cmmc is sort of a subset of those controls and so really um in our view if more or less if you implement the fedramp low baseline uh you're pretty much you know compliant with cmmc um and the best way to accelerate is accelerate cmmc is to use again fedramp accredited cloud services um as the beginning point right so for example there is um an element that is stock uh i mean cmmc is still being sort of formed uh there is talk about reciprocity uh between fedramp and cmc so in other words if i'm using a fedramp service and uh you know then i will get credit for that um in the cmmc language and again they're all based on uh the same nist framework so our recommendation is in all the solutions we are building uh with threat alert so you know the threat alert solution i can share that link with you here as well is if you're interested uh is it is for fedramp and cmmc compliance so it's a aws vetted solution it's there for you know cmmc compliance because again the same requirements are required to be met by everybody by every framework okay um next question is with stackholmer's assistance how long does it take to get fed rant many variables of course so i'm looking for the answer like it takes at least such yeah i think that's a good question and my answer is it depends but generally generally you know if um let me let me share with you a story so we had a customer somnavere um they're based in the bay area um they um they came to us in october of last year we did a webinar with their cto uh who joined us in april so they came to us in october of last year and they hadn't been on the cloud they won a contract with the veterans affairs administration uh they have a pretty interesting software for uh sleep apnea and that sort of thing tracking um and so they came to us and said we have to have an ato in pretty short order and so in that particular instance they had a really smart technical team really motivated and so we were able to get an ato with them in about four months so october we sort of engaged with them did the migration in november december time frame uh put the documentation package together had it submitted by february and i think by march they received sort of their you know um interim ato so and that's you know that's that's not that atypical right so what i would say is if everybody is motivated and when i say everybody i mean everybody uh that means uh you know you number one as the service provider is motivated and your customer the federal agency is motivated i think you can get it done in about four months um so in general what i normally recommend is to plan for a four to six month window um i think it's doable within that time but again you know there are outliers some people will claim that they can do it faster um faster also means more money so you know in general that's what i would say is i think a four to six month period is reasonable okay next question from uh sunil looks like a crowded field with many companies doing fedramp what is the new pain point with everyone working remotely including government employees um uh so i'm not sure what uh what you mean by crowded uh playing field uh with companies doing fedramp i mean um you know there is a huge yeah i'm not sure and understand the question in regard to compliance crowded field oh yeah thank you sorry about that i think my question was more related to uh entrepreneurship uh get towards entrepreneurship if someone is working on a security uh compliance privacy kind of a [Music] solution what they need to look for uh you know because fedramp is already there are many companies like stack armor doing it so are there any specific areas which the government agencies are coming up with new standard new regulation in this kobi times that's a great question um i definitely don't want you to compete with me and you know so i will have to be careful in my answer i'm just kidding um so you know i think a lot of uh what we are seeing in terms of general demand is a move towards more and more of digitization i'll give you a couple of simple examples a lot of you know almost all government employees and you know anybody who does work with the government so you know we do government contracts um everybody has to carry a hard what's called a piv card right so it's basically a hard token um and that's what's used to access any kind of an it system um so just give it as a case in point um you know now with the covet situation all of those badging offices are closed um and there is a huge backlog um to be able to get that so people are now looking for digital solutions so whatever you know the whole actually process of digitization has just phenomenally you know accelerated in every business process right so simple thing like badging now they want to come up with a virtual badge right i mean you know those problems have been solved on the commercial side with soft tokens and things like that but the government has been slow to migrate um so there is a huge opportunity in that space right credentialing identity digital identities you know how to go and make sure that the person coming in and trying to authenticate them they are who they are um you know whole sets of there's a lot of obviously requirements where you know let's say if i'm uh i'm applying for a loan and uh i have to submit paperwork then you know now there is nobody available because of again covet to process that paperwork so you know again what can we digitize you know that sort of thing as far as remote working and employees there's a huge move um towards basically using cloud-based vpns right so for example there's a company called z-scaler they're doing exceedingly well they have a solution where i can come in and it's a cloud-based you know what they call next generation vpn where i can authenticate um and then they can give me remote access to applications so um you know that that's a great sort of um you know innovation that the government is adopting um i i i can't tell you off the top of my head if there are any new uh laws that are being um you know um uh sort of created but there is a lot of innovation um accelerated innovation around cloud adoption right so you know so and you know as you mentioned on the security side um there's a lot of ai you know can you come up with some capability that allows the government to check um you know whether the person who's logging in is you know the person again rule-based methods are not very scalable right so again you know if you look across the spectrum uh i mean there's a lot of rpa there's a lot of those are aiml of some of the hot buzzwords right now that are going on great awesome thank you guru welcome so the next question is what was the name of the oh somebody answered it called based bpm [Music] okay well i don't see any other questions there does anyone have a question last question to ask oh we're almost out of time nothing so well thank you very much i know it's way too late everyone goes dc so it's almost 9 00 pm there thanks for taking the time to come and talk to us it's very enlightening at least uh i did not know much about uh thank you john thank you for having me and again i think the kudos should come to your dedicated members for them to stay up after work and to want to listen to fat rap so i thank you for listening to me i also have three new feedback from the team uh jeff says another brilliant opportunity i'm smarter now thank you kevin says it was insightful very insightful thanks so now says thank you alex says thank you thank you kevin tucker says great presentation are finally here and and master foreign everybody says thank you thank you very much thank you and good evening to all of you thank you everyone seven