Podcasts about fedramp

Today, we sat down with Trey Ford from Bugcrowd to talk about ethical hacking. One of the most memorable phrases from ancient Rome is Quis custodiet custodes? (Who Watches the Watchman?). This ancient admonition has direct application to federal cybersecurity. We know federal agencies spend millions of dollars to protect data. How does one ensure the contracted companies are doing their jobs? Traditionally, an organization would use penetration testers, contractors, or basic scanning methods. However, today's attack surfaces are expanding, and malicious actors are innovating so rapidly that we are being forced to consider more creative options. In other words, an annual penetration test against an AI-inspired attack is too focused to be effective. The innovation Bugcrowd brings to the table is a community of researchers who can attack a system from many perspectives. During the discussion, you will learn about federal vulnerability disclosure programs, how to overcome talent shortages, and how Bugcrown vets its research community. Trey Ford also touches on the FedRAMP journey, AI integration, and the evolving cybersecurity landscape, stressing the need for human creativity and dynamic responses to threats. Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com

Two very different cyber cases — a DFARS‑driven settlement and a criminal indictment involving FedRAMP misrepresentations; are giving contractors a preview of DOJ's posture for 2026. Both point to a more aggressive and more varied enforcement landscape. We're talking through what that means with Andrew Liebler and Lance Taubin of Alston & Bird.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Jack Hirsch, vice president of product at Okta The rise of AI in the workplace is creating a new kind of risk for organizations: shadow AI. Employees can now spin up AI agents that connect directly to emails, files, and business systems—often without IT oversight. These agents can access sensitive data, and without proper controls, they become prime targets for cyberattacks. In this episode of the podcast, we're joined by Jack Hirsch, vice president of product at Okta, to explore what shadow AI is, why it matters for Canadian organizations, and how IT partners can help their customers manage it. Jack discusses Okta's latest tools, which provide real-time visibility into AI agents and their permissions. These capabilities make it easier for security teams to discover unmanaged agents, understand their access, and quickly bring them under identity-based controls. We also touch on regulatory implications, including Canada's proposed Bill C-8, which heightens expectations around cyber risk accountability, access controls, and transparency. As legislation moves forward, organizations will need to prove they understand not just who has access to sensitive systems—but which AI agents do as well. For MSPs and IT resellers, this emerging landscape represents both a challenge and an opportunity. Jack shares insights into how partners can position themselves as trusted advisors for clients navigating AI risk, turning a potentially complex problem into a service opportunity. Tune in to hear why identity management is becoming central to securing the agentic enterprise—and what your customers will need to stay ahead of shadow AI risks. Read Full Transcript Hello and welcome to the ChannelBuzz.ca podcast, bringing news and information to the Canadian IT channel for the last 16 years. I’m Robert Dutt, editor of ChannelBuzz.ca, and as always, your host for the show. Okta has announced a new set of capabilities designed to help organizations uncover and manage a fast-growing risk: shadow AI. As AI tools become easier to use, employees are increasingly creating their own AI agents, connecting them to emails, files, SaaS apps, and internal systems to get work done faster. The problem is that many of these agents are created without security oversight, governance, or clear ownership. Once they’re connected to sensitive systems, they can quietly gain broad access to data, making them attractive targets for attackers and a potential liability for organizations. Okta’s new solution is designed to address that gap. It gives security teams real-time visibility into AI agents across the enterprise, showing which agents exist, what they can access, and what permissions they’ve been granted. Just as importantly, it allows organizations to quickly bring unmanaged or risky agents under identity controls, treating them more like digital employees than anonymous tools. That visibility matters even more in Canada, where proposed legislation like Bill C-8 is raising expectations around cyber risk accountability, access controls, and transparency. As AI becomes embedded into everyday workflows, organizations will be expected to know not just who has access to what sensitive data, but what machines and agents do as well. To unpack what shadow AI really means, why identity has become central to managing AI risk, and what all this creates in terms of opportunity for Canadian IT partners, I’m joined today by Jack Hirsch, Vice President of Product at Okta. Let’s dive in. Robert Dutt: Jack, thanks for taking the time. I appreciate it. Jack Hirsch: My pleasure. Thank you for having me. Robert Dutt: It feels like this is a topic that a lot of folks in the channel have been through with different flavors in the past. When you say “shadow X,” it certainly brings up memories of transitions past, but just to level set and set the parameters here, can you give me a quick definition on shadow AI? I almost said shadow IT. Can you give me a quick definition on shadow AI, and why it’s becoming both a security and governance issue? Jack Hirsch: Sure. Well, look, it’s no secret now that AI is changing the shape of how work gets done in the modern era. You have these non-deterministic entities running around, and fundamentally, they’re exciting, they’re interesting on their own, but where they really light up in value, where you start to see efficiency and effectiveness gains from your carbon-based workforces, is when you start connecting them to tools. They need resource access to be truly productive. So AI agents need resource access, and that’s when it can start to get scary, and that’s when shadow AI starts to create a ton of risk for modern organizations. We know that the point of authentication is now much stronger with phishing-resistant auth. However, post-auth security is the primary breach vector for the vast majority of cybersecurity incidents now, meaning the session token’s been cut. There’s access out in the ecosystem, and that’s why shadow AI is terrifying. Unfortunately, the options available to the ecosystem to secure AI and to build it quickly have been not good enough, to put it bluntly. This leaves security leaders with this very, very difficult challenge of moving fast and potentially breaking things and giving away the keys to the kingdom to OpenClaw, or whatever it is that you want to do, or potentially stifling innovation. That’s a really, really difficult spot for security leaders to be in. So yeah, shadow AI is everywhere. The challenges are greater. The stakes have never been higher. Robert Dutt: Yeah, so that’s sort of the problem space. So when employees spin up AI agents and connect them to emails, to files, to internal data, to systems, whatever it may be, I presume most of the problems emerge from unintended consequences, as is so often the case in technology. But what are some of the common ways that sensitive data ends up exposed without anyone really necessarily realizing it, or is that the nature of the problem? Jack Hirsch: Well, look, I think there’s sort of the naive answer, and not to say that it’s easy or trivial. I don’t want to trivialize this, but the naive answer is, “Oh, prompt injection, data leakage, data poisoning. Oh yeah, who knows what the LLM will spit out?” But the actual scarier risk is around inadvertent access and the standing credentials that need to be given to AI agents for them to be productive. If Rob, you and I work at Acme Corp, and we’re working on a project together and we want to spin up an AI agent, whose permissions do we give it? Most of the time now, a security leader is not going to be able to jump in front of every single moving train and slow them. They’ll just say, “Oh yeah, give it a set of static credentials. Give it an API key, but don’t give it Rob’s access. Don’t give it Jack’s access. Give it super user access, and we’ll trust it to do the right thing.” And so you’re giving this untrained, very influenceable, non-deterministic entity the keys to the kingdom. And that’s really the primary risk vector here. And so it’s all an identity and access management problem. Fundamentally, these are identities that need to be discovered. They need to be controlled. They need to be governed. And their access needs to be managed in the same way that their carbon-based peers, us as humans, need to be governed as well. Robert Dutt: So with that framing, it sounds like maybe identity is more important than traditional network or endpoint controls in terms of security in this world, where there are all these agents running around and doing whatever it is, hopefully, we want them to do and potentially what we don’t want them to do. Jack Hirsch: I think this is where the traditional model of endpoint or network or identity-based detection and response falls flat. You can’t keep up with the incredible volume of AI agent activity out in the ecosystem to detect it all. Every single, even approved platforms are now starting to put AI sprinkles throughout their products. And so it’s sort of fighting an uphill battle there. And so the reason this is truly an identity-centric problem is because, again, all those agents need access to resources inside of organizations. And the way that AI grew, and we saw this with how OpenAI and Anthropic and even Google with Gemini, their sort of growth paths were primarily consumer driven. And in a consumer world, it’s really easy. I’m spinning up, I’m literally sitting next to a machine that has a Claude bot spun up in a fully isolated environment, but I’m an individual user in that scenario. And so if I want to give it access, I can just OAuth myself. It’s super easy. And so the authorization mechanism wasn’t really thought about in an enterprise context. And then when you get into an enterprise context, you have individuals that want to do exactly the same thing and access corporate resources. So it really is a new type of identity. We can talk about some of the differences between human and AI agent, but it’s fundamentally an identity and access management problem. These are digital identities, non-human identities that need access to resources within an organization. And you actually see this being recognized by broader standards bodies. So for example, Cross App Access was something that we’ve been working on. It’s a new standard, it’s an extension of the OAuth protocol. And it’s something that we’ve been working on for years, two, three years now at this point. And we reintroduced it to the ecosystem this past summer, summer of 2025. And we introduced it first to ISVs and the people that were sort of around the Okta ecosystem had heard about it before. But then the rest of the ecosystem, the adoption was wild because MCP had become a thing and people were trying to deploy MCP servers and AI agents into their enterprises. And no one, not at the time Anthropic or OpenAI or any of the big model providers, had taken on the challenge of enterprise authorization for AI agents. And so this standard that had been sort of latent and sitting somewhere in an IETF draft for a while got picked up and started gaining a ton of steam. And just in November, right before Anthropic split off MCP and gave it away to the open ecosystem, it got merged into the MCP repo as the new default enterprise authorization mechanism for MCP. And so this isn’t something that’s Okta owned, it’s just a standard that we developed because we are independent. And as such, we are the sort of standard-bearer for the open security ecosystem. We believe that we need to be the rising tide that lifts all ships. And that’s why we develop open standards like Cross App Access. So now, really excited, we’ve taken our own engineers and pushed this authorization code out into the open ecosystem so that many applications start picking up this capability, this new OAuth extension. Robert Dutt: So at a high level, when you talk about the products that you guys are bringing to market, the solutions to address this, at a high level, what kind of new visibility or new insights are you giving organizations that are using these tools that they simply didn’t have before when it comes to discovering AI agents, the privileges they have, and what they’re up to? Jack Hirsch: Yeah. So, I mean, maybe if I can even blow it up further and say, let’s talk about maybe three steps: discovery, then control, and governance. So on the discovery side, there are many ways to discover, let’s date ourselves, shadow IT. There are many ways to discover, right? You can have a browser extension, you can have some sort of endpoint monitoring, you can have network monitoring. You can also check the resources themselves for access. And so we took a, initially, we’re taking a multi-pronged approach to doing the discovery, but we’re doing what we do best, which is integrating into over 8,000 ISVs and checking for resource access. And so who’s accessing these resources? Are they carbon-based? Are they digital-based? And so the first phase of discovery with our ISPM product is being able to see who’s accessing these resources and why. And so that extended very, very nicely to AI agents. And it doesn’t really matter where the AI agents exist, right? It doesn’t matter if they’re part of a larger platform with something like Salesforce and Agentforce, or whether they’re homegrown, built off in some skunkworks team off to the side. Ultimately, when they get access to the resource, we see it. And then you get into the control plane. So that’s just the discovery. Within the control plane, we want to meet our customers where they are. And we know that the vast majority of these things are going to be granted access via static credentials, just the god-mode tokens. And for those, we can harden them. We can effectively bring them under management. We can bring those credentials under management. We can observe them. We can rotate them. We can observe for anomalous behavior, et cetera. And so that’s like what you would consider a traditional PAM use case or maybe a modern IGA use case. But then also with control, we give Cross App Access, which is a new mechanism that extends the amazing innovation that was OAuth and OAuth scopes, basically extending that to say, instead of checking with the end user for access to this resource, we can set policy. Now the IDP can set policy to control access to those resources. And then to close the loop, there’s governance. And so standard governance flow, and actually I don’t even want to say standard governance flow because governance historically has this GRC compliance lens, but it’s very much a security-forward technology here. When you get to the state where you need to govern these identities and their access, we can run access certs in the exact same way based on whether or not they’re human or non-human. And so every one of those agentic identities gets pulled into Okta’s Universal Directory. All of their access is controlled. All of it is governed. We still gather the same risk signal and risk pattern behavior from the Identity Threat Protection product. And that’s, I wish I could say that 10 years ago, we knew we were building an identity security fabric, this new category of product that’s going to cover every identity use case, every resource type, and every user type. However, that was the strategy, not knowing that AI agents were going to be born in the 2020s. And it just makes it so that we are really well positioned to capitalize on this opportunity. And it gives us a very novel approach to how we secure AI in a way that, it’s because we have this unified identity security fabric. A basket of tools that don’t talk to each other, if you have a disparate IAM and IGA and PAM set of tools, in theory, you could stitch it all together, but you end up with higher costs and worse security outcomes. And so we actually took a much harder approach to market. And this is many years ago. Again, this predates the rise of AI agents, but we decided that we were not going to take an acquisitive strategy where we just bolt on a bunch of things and call them a “platform” in air quotes. And your order form would look like a drugstore receipt. And so you’re not buying a list of products that happen to be on the same order form because we want to satisfy a CFO. We’re taking an approach that we want to drive end-to-end identity security outcomes for CISOs and IT leaders. So we’re doing the hard work deeply integrating these products across the fabric so that we can truly secure every identity, every use case, and every resource type. Robert Dutt: Close to home here in Canada, we have a proposed Bill C-8 on the table. It’s raising expectations around visibility, around access control, accountability, risk, all of these things. I know there are similar ideas out there in terms of government around the world. How does legislation along these lines change the conversation for IT leaders, especially around the topic of shadow AI? Jack Hirsch: So look, I am such a fan of this type of regulation because it pushes… When we enter highly regulated markets, regardless of where they are, and we can talk about C-8, I think it really does align with our identity security fabric narrative and what we’re angling for. But fundamentally, what we’re talking about is trust. If I’m not mistaken, C-8 talks about resilience and reliability. Okta has industry leading availability and resilience. We proudly espouse our four nines of availability, but in reality, it’s much higher. And we target much higher. With the launch of our cell in Canada, and we can talk about the nature of that launch, but with the launch of our cell in Canada, we not only get multi-region disaster recovery, but we get Enhanced Disaster Recovery, which is a product that I really wanted to call Instant DR, because it’s a DNS flip, but the lawyers didn’t like that. So it’s Enhanced Disaster Recovery. And so when you’re talking about resilience and reliability and running critical infrastructure, fundamentally, identity is critical infrastructure. We support governments, financial services, militaries, supply chain logistics with organizations like FedEx, healthcare. And so maybe bringing it back to C-8, data residency, check, highly invested, especially with de-globalization pressures around the world. Supply chain governance, super, super important for us to maintain our independent posture here and to say, look, it doesn’t matter whether you’re buying from a monolithic platform or an independent provider of identity security. We are invested in making sure that your entire enterprise is secure. And so just the same way FedRAMP was a standard-bearer and STIGs in the US were standard-bearers, or IRAP was pushing us in the right direction in Australia, or ISMAP in Japan, I think C-8 is a very, very welcome change. I think it highlights the need for robust identity security and it should put identity at the foundation of every security leader’s agenda this year. Robert Dutt: Well, these pieces of legislation are still in the process and we can look forward. This is likely to see the light of day in some shape or another, but there’s still that sort of sense of maybe we should wait and see. I guess what I’m getting at is what’s the danger or the risk involved in waiting until regulations are finalized, on the books and in place, before starting to take action? Jack Hirsch: So let’s just say at a personal level, I am not into promoting scare tactics. I know that it is very common in the security space for colors to be red. Our colors are blue. That’s not our vibe at Okta. And so look, every organization has their own risk barometer. What I can say is the vast majority of breaches stem from some form of attack on identity. The vast majority of breaches, the implications of having a data breach, oftentimes they go, I think the average time to detection for a data breach is somewhere just shy of 300 days. And so you’re talking about millions of dollars in damages, huge reputational hit. And there are scenarios, and I will not point to any recent security incidents that might have impacted large swaths of the industry, but not Okta. But I’ll just say the reason is because we believe strongly that having a lower risk profile should be easier, should be more elegant. People come to Okta not because of the, “Oh, you get it all done by the CLI.” Yeah, you can, but it’s elegant. It’s intuitive. It’s easier to use. It de-complexifies the world of identity security. I’m sitting in front of my notepad here to take notes, and one of our product principles is productizing best practices. And so we want to make it easier for organizations to reduce their risk profile and make the end user experience elegant and memorable when it needs to be, and disappear into the background when it shouldn’t be memorable. And so with that, look, I would advise everyone go down the rabbit hole. Just look at recent breaches. Look at how widely pervasive these breaches are. Look how easy it is to go after a phish, to buy a phishing kit on the dark web, and see the types of organizations that get hit by these and it’s everyone. And so whether you’re waiting for legislation to be imposed to drive the standards or you are just looking to have an appropriate barometer of risk for your organization, you shouldn’t have to choose between ease of use and cost and lower risk and greater security. And so I would just say everyone’s going to be on their own journey. I’m not a salesperson. I’m on the product team. But I fundamentally think that identity is one of the pillars of Zero Trust. I believe that it should be. It’s foundational. It is the foundation. If I had nothing else to do, if I were starting my own company today and I wanted to build a security practice for my company to manage our organizational risk, it would start with identity, 110%. Robert Dutt: We’ve taken sort of a general market-wide view of the technology problem and now of the regulatory side of things. This is a podcast for IT solution providers. So sort of going with that “if I were starting a business today” line that you just started there, for MSPs and resellers, where do you see the biggest opportunity to help customers get ahead of shadow AI, both in terms of reducing customer risk and in terms of new services, new types of services that they can bring to market? Jack Hirsch: I’ll take it in two parts. One is just you can’t control what you don’t see. And so for VARs and MSPs and sort of operators in the technology ecosystem, I would say look at Okta’s ISPM product. It is amazing what you learn by wiring it. And it’s not just for Okta as an IDP. It’ll wire into any IDP. It will wire into multiple IDPs. It’ll wire into over 300 SCIM-based apps because it’s wired into the Okta Integration Network, and there’s a large set of SCIM apps that work natively with ISPM. And just see what you can find. I optimized my life, my product world for hugs and high fives. And I’ll never forget, I’m sure this person knows exactly who they are. It was a security leader in Australia, ran out of their office after trying ISPM during a merger and they used it to reduce risk during the merger as they were establishing a trust relationship between their organizations. And it basically made this person look like a superstar in front of their C-suite and board because it was like the entire risk burndown chart for their entire M&A transaction to establish the technical risk barometer. So I would just say ISPM is an incredible starting point. A+, highly recommend. You can’t control what you can’t see. And then I think on the second part, of course ISPM will discover AI as well. And then the second part is just, I wouldn’t lose sight of the experience. And so making sure that you’re creating an elegant experience by your choice of products, not only for the admins that you might work directly with or the leadership that might be engaging with you, but also for the end users. And knowing when tools should be elegant, easy to use, easy to configure, and when they should just sort of fade into the background. That’s ultimately what we work on at Okta. It’s our strong conviction from a product standpoint, that it needs to be an absolutely elegant, unmatched user experience for partners, for admins, for end users, and for customers. Robert Dutt: I think we’ve gone over a lot of the territory that I wanted to go over, but just to kind of bring things home, looking ahead over the balance of 2026 or into the first half of next year, what do you think are going to be the biggest mistakes that organizations might make when it comes to agents and identity? And what can solution providers be doing now to make sure their customers don’t make those mistakes? Jack Hirsch: This is an easy one. I think there’s sort of two categories of mistakes. One is getting worried because everything is moving so fast, getting that sort of analysis paralysis to say, “I’m going to see where it shakes out. How important is this AI thing?” Or even if you’re an AI bull, waiting to see who the winners and losers are before you establish any sort of program around it. That’s, I think, one big category of things not to do. I would say, go after it immediately. The capabilities you need are already out there. They might be newer. They might feel a little bit less familiar. But again, ultimately, these are identities that need access to your corporate resources. So I think that is one big category. The other big category is, I would not look at point solutions for this. Anyone that is saying, “We’re going to secure your AI.” That’s great. But what is an AI? It’s an identity. It can be a resource in some scenarios, right? With agent-to-agent, agents acting as resources, but ultimately they’re just identities. That’s for the identity nerds. Sorry. Just as a caveat for the identity nerds out there like myself. But fundamentally, you need a unified platform that gives you that unified view of core access management, core governance, core privileged access, brings all of those identities, whether it be human or non-human, into a single directory and can discover them, can control them, can govern them. And it shouldn’t matter whether they were built by your users, by third parties, by partners, by your supply chain contractors. That unified identity security fabric will deliver comprehensive security and it should be deeply orchestrated into any technology stack. And those products already exist, and it just so happens that Okta is building a reference implementation. Robert Dutt: Works out well for you then, doesn’t it? Jack Hirsch: It does. Robert Dutt: I appreciate your taking the time, Jack. It’s been an interesting conversation and it’s a fascinating and ever-evolving area. Jack Hirsch: Thank you very much. All right. Thanks, Rob. And thanks everyone. Appreciate the time. There you have it, a look at shadow AI through an identity lens with Jack Hirsch from Okta. I’d like to thank Jack for joining us for the show and thank you for listening today. The podcast will be back in your feed tomorrow as we take a look at the launch of Lexful, an AI-first documentation tool for MSPs that boasts, if you can believe it, a robotic channel chief. We’ll find out all about that tomorrow. You’ll want to be sure to catch that, so please subscribe to or follow the podcast in your podcast app of choice. And if it allows you to do so, please consider leaving a rating or review of the show. Until tomorrow, I’m Robert Dutt for ChannelBuzz.ca and I’ll see you in the channel.

Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com When people look back on 2025 they will see many changes in the FedRAMP process.  It looks like a new administration examined the process, got feedback from companies, and launched new initiatives to speed up the process. During today's interview, Irina Denisenko (Knox CEO) details FedRAMP's challenges and something called "FedRAMP 20x." Knox runs the largest FedRAMP-managed cloud, enabling 90-day authorizations by hosting customers' production environments. Denisenko explains the story of the origin of Knox Systems:   she was running a training company and the Air Force wanted to use her product.  It would have taken so long to complete the FedRAMP requirements that she just bought a company that was FedRAMP compliant. It is hard to believe that the process is so frustrating that fewer than 500 apps are authorized at moderate/high FedRAMP The initiative from the GSA is called FedRAMP 20x  It shifts to continuous monitoring and continuous authorization, moving from annual audits (sampled every 3 years) and monthly CVE spreadsheets to real-time, machine-readable data. What Knox offers is a tried-and-true platform that has reduced time for compliance in order to better serve federal needs. 

Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com Way back in 2011, one of the goals of FedRAMP was to eliminate software redundancy. The federal government had evolved to the point where one agency would spend millions of dollars on the same application program that the agency in the same zip code had just invested heavily in. The theory proposed by luminaries like Vivek Kundra was to move to the cloud to share services. Reducing cost and improving resilience. FedRAMP was the initiative that established a safe environment for federal cloud use. Companies can comply with regulations outlined in an Authorization to Operate (ATO). Well, fifteen years later, and we are seeing the same duplication not in the application programs, but in the process to get the ATO itself. For example, FedRAMP, RMF, and agency internal policies may require specific artifacts to satisfy one or the other. During the interview, Travis Howerton paints the legacy model—static documentation, annual/3-year audits, spreadsheets. His solution is to have AI assist with documentation, which will drastically reduce compliance time; he cites an example of reducing a process from 52 weeks to 356 weeks. RegScale uses OSCAL (XML/YAML/JSON) to auto-generate RMF artifacts and integrate with SIEMs (Splunk, Elastic), Axonius, ServiceNow, and APIs. Howerton understands the limitations of many automated systems and suggests that a human is a key component after the machine language has assembled the data to make the decision.    

After a year of talks with industry on how to improve the program, FedRAMP is turning inward. Leaders of the government's cloud security assessment program say they're increasing their engagements with federal agencies and the Office of Management and Budget as they continue to work toward a faster, less costly version of the program, called “FedRAMP 20 X.” But they say they've already made significant improvements, and with a smaller budget. Here's Federal News Network's Jared Serbu with the details.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

With FedRAMP 20x and the 2026 Phase 2 pilot, the government is moving toward automation, machine-readable evidence, and collaborative monitoring. We'll explore what these changes mean for SaaS providers and how companies can cut costs and timelines without sacrificing security with Irina Denisenko, CEO of Knox Systems.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Understanding cloud costs can be challenging, but it's essential for maximizing value. In this episode, hosts Lois Houston and Nikita Abraham speak with Oracle Cloud experts David Mills and Tijo Thomas about how Oracle Cloud Infrastructure offers predictable pricing, robust security, and high performance. They also introduce FinOps, a practical approach to tracking and optimizing cloud spending. Cloud Business Jumpstart: https://mylearn.oracle.com/ou/course/cloud-business-jumpstart/152957  Oracle University Learning Community: https://education.oracle.com/ou-community  LinkedIn:  https://www.linkedin.com/showcase/oracle-university/  X: https://x.com/Oracle_Edu  Special thanks to Arijit Ghosh, David Wright, Kris-Ann Nansen, Radhika Banka, and the OU Studio Team for helping us create this episode.    -------------------------------------------------------------   Episode Transcript: 00:00 Welcome to the Oracle University Podcast, the first stop on your cloud journey. During this series of informative podcasts, we'll bring you foundational training on the most popular Oracle technologies. Let's get started! 00:27 Nikita: Welcome back to another episode of the Oracle University Podcast! I'm Nikita Abraham, Team Lead of Editorial Services with Oracle University, and I'm joined by Lois Houston, Director of Communications and Adoption with Customer Success Services.  Lois: Hi everyone! Last week, we talked about how Oracle Cloud Infrastructure brings together developer tools, automation, and AI on a single platform. In today's episode, we're highlighting the real-world impact OCI can have on business outcomes. 00:58 Nikita: And to tell us about this, we have our experts David Mills and Tijo Thomas back with us. David is a Senior Principal PaaS Instructor and Tijo is a Principal OCI Instructor, and they're both from Oracle University. David, let's start with you. What makes Oracle Cloud Infrastructure the trusted choice for organizations across industries like banking, healthcare, retail, and government? David: It all comes down to one thing. OCI was built for real businesses, not side projects, not hobby apps, not test servers, but mission-critical systems at scale.  Most clouds brag about their speed, but OCI is consistently fast, even under pressure. And that's because Oracle built OCI on a non-blocking network and bare metal infrastructure, with dedicated resources and no noisy neighbors. So, whether you're running one application or 1,000, you get predictable, low latency, performance every time as OCI doesn't force you into any specific mold. You want full control? Spin up a virtual machine and configure everything. You need to move fast? Use a managed service like Autonomous Database or Kubernetes. Prefer to build your own containers, functions, APIs, or develop with low code or even no code tools? OCI supports all of it. And it plays nicely with your existing stack—on-prem or in another cloud. OCI adapts to how you already work instead of making you start over.  02:39 Lois: And when it comes to pricing, how does OCI help customers manage costs more effectively?  David: OCI is priced for real business use, not just the flashy low entry number. You only pay for what you use. No overprovisioning, no lock in. Virtual machines can scale up and down automatically. Object storage automatically shifts to a lower cost tier based on frequency of access. Autonomous services don't need babysitting or patching. And unlike some providers, OCI doesn't charge you to get your own data back. It's enterprise grade cloud without enterprise grade sticker shock. 03:26 Lois: Security and flexibility are top priorities for many organizations. How does OCI address those challenges? David: OCI treats security as a starting point, not an upsell. From the moment you create an account, every tenant is isolated. All data is encrypted. Admin activity is logged and security tools like Cloud Guard are ready to go. And if you need to prove compliance for GDRP, FedRAMP, HIPAA, or more, you're covered. OCI is trusted by the world's most regulated industries. Most companies don't live in one cloud. They've got legacy systems, other cloud providers, and different teams doing different things. OCI is designed to work in hybrid and multi-cloud environments. Connect to your on-prem apps with VPN or FastConnect. Run Oracle workloads in your data center with Cloud@Customer. Interconnect with Azure and Google Cloud or integrate with Amazon. OCI isn't trying to lock you in. It's seeking to meet you where you are and help you modernize without breaking what works. 04:40 Nikita: Can you share an example of a business that's seen measurable results with OCI? David: A national health care provider was stuck on aging hardware with slow batch processing and manual upgrades. They migrated core patient systems to OCI and used Oracle Autonomous Database for faster, self-managed workloads. They leveraged Oracle Integration to connect legacy electronic health records, OCI FastConnect to keep real-time sync with data in their on-prem systems, and they went from 12-hour downtime Windows to zero, from three weeks to launch a feature to three days, and they cut infrastructure cost by 38%. And that's what choosing OCI looks like. 05:37 Are you looking to boost your expertise in enterprise AI? Check out the Oracle AI Agent Studio for Fusion Applications Developers course and professional certification—now available through Oracle University. This course helps you build, customize, and deploy AI Agents for Fusion HCM, SCM, and CX, with hands-on labs and real-world case studies. Ready to set yourself apart with in-demand skills and a professional credential? Learn more and get started today! Visit mylearn.oracle.com for more details. 06:12 Nikita: Welcome back! Tijo, controlling costs while driving innovation is a tough balancing act for many organizations. What are the biggest challenges organizations face when trying to manage and optimize their cloud spending? Tijo: The first one is unexpected cloud cost. Let's be honest. Cloud bills can be shocking. You think you've got things under control, that the invoice shows up and you realize it is way over the budget. Without real-time visibility, it is quite hard to catch these surprises before they happen. The next one is with waste of resources and inefficiencies. It is quite common to find resources that are just sitting idle, such as unused storage, underutilized CPU, or overprovisioned memory. It may not seem like there are much of resource wastage at first, but over time all that is really going to add up. Then there is no clear ownership of cloud spend. It is one of the big problem in cost management. If cost are not clearly tagged to a team or a project, nobody feels responsible, and that makes it really tough to manage or reduce the cloud spend. There is also misaligned priorities across teams, and looking at different teams like finance, they may want to cut the cost while engineering want to move faster, operations want everything to be up and running. While every team is doing their best, but without a common approach to cost, it becomes challenging to prioritize tasks. Slow and reactive decision making is another challenge. Most cost issues gets identified after the bill is invoiced, and by then the budget has been already spent. Without timely data, it becomes difficult to make real time changes. And then complex, multi-cloud and regional footprint. As businesses grow across regions and with multi-cloud deployment model, tracking where the budget is going gets really tricky. More services means there are more teams and more complexity. Now, all of these challenges have one thing in common. They need a better way to manage cloud cost together. And this is where FinOps comes in. 08:42 Lois: And what exactly is FinOps? How does it address these cloud cost challenges? Tijo: FinOps stands for financial operations. It is a framework that brings teams like engineering, operations, finance, and beyond to work together so that the cloud spending becomes smarter, more visible, and better aligned towards business goals. And so FinOps is not just a tool, it is a way of working. According to FinOps Foundation, FinOps lifecycle happens in three phases: inform, optimize, and operate.  The inform phase is about visibility and allocation, which means you gather the cost, usage, and efficiency data in order to forecast and budget. The optimize phase is about rates and usage, and this is where you would take action to optimize or bring efficiencies. And then in operate, you turn those into continuous improvements through policies, trainings, and automation. 09:51 Nikita: Let's unpack FinOps a bit more. Why is understanding your cloud subscription model so fundamental in the Inform phase? Tijo: Because cost visibility is very important while managing your Oracle Cloud subscription. There are two ways to purchase OCI services. The first one, we refer to it as pay as you go model, which means you pay for what you use, and the second one is called universal credit annual commitment model, where you can purchase a prepaid amount of universal credits, and the prepaid amount will be drawn down based on actual usage. OCI provides a portal called FinOps Hub, where you can easily track how your usage has changed month by month over the past year. Through the Hub, you can monitor whether you have stayed within your credit allocation or not. You will also see how much of your committed credits have been used, how much is left, and when is your commitment set to expire. The next step is to gain visibility or to understand the cost. In Oracle Cloud Infrastructure, this starts with the service called cost analysis. OCI Cost Analysis is a service that would help you to filter, group, and visualize your cloud cost in a way that makes sense for your business. You can compare cost over time. You can drill down the cost by services, and track those spending by specific teams or projects. And then finally export detailed reports for finance or leadership reviews. OCI Cost Analysis gives you an interactive, near real-time view of your cloud spending. So you're not just seeing the numbers, you are understanding what is driving them. The next one is about setting up spending limits and this is done through OCI Budgets. For example, the organization can set up a monthly budget for the development team. If their usage, the cloud usage exceeds 80% of that limit, an alert will be triggered to notify the team. This means you can configure a threshold, send alerts, or even take actions automatically.  12:16 Lois: Tijo, what happens during the Optimize and Operate phases of the FinOps framework? Tijo: The inform stage was more about awareness. In the optimize phase, you take that data you've collected, and use it to optimize resources and improve efficiency. In OCI, we'll start with Cloud Advisor. OCI Cloud Advisor finds potential inefficiencies in your tenancy, and offers you guided solutions that explain how to address them. The recommendations help you to maximize cost savings. For example, it gives you personalized recommendations like deleting idle resources or resizing compute instances. Secondly, you can identify steps for performance improvements. And finally, enhance high availability and security with suggesting configurations for your cloud resources. In the third phase, operate, it is about making optimization as a routine or continuous improvements, and this is done through incorporating FinOps into your organization. OCI provides cost and usage reports that can automatically generate daily reports. These reports would show detailed usage data for every OCI service that you're using. You can export cost reports in FOCUS format. FOCUS is an industry standard and it stands for FinOps Open Cost and Usage Specification. 13:52 Nikita: And what makes the FOCUS format important for organizations? Tijo: The format enables the cost data to be consistent. It is well structured, and ready to use with other FinOps tools or dashboards. These reports can also ingest into Business Intelligence or analytics tools that will help you with better visualizations. Organizing your resources the right way is the key to get more accurate and simplified data. Without a clear structure, your cost data will be too complex. In OCI, this structure starts with your tenancy. Tenancy is your top level OCI account, and it represents the presence of cloud for your entire organization. Next, you have compartments. Compartments help you to break down your cloud environment into logical groups, for example, by department or business unit or projects. Then there are tags, and this is where cost visibility gets more meaningful. Tags allow you to assign custom labels to each resources. Things like environment type, cost center, or the owner name.   15:06 Lois: Some people think cost visibility is a concern mainly for finance teams. What's your perspective on this? Tijo: Cost visibility should be a shared responsibility, which means it shouldn't just be shared with the finance. Engineers, architects, and project owners all need to have access to the cost data that are relevant to them. Because when teams have visibility, they take ownership and that leads to better decisions which are faster, smarter, and more aligned to business goals. 15:42 Nikita: Thank you, David and Tijo, for joining us and sharing your insights. Lois: If you'd like to learn more, visit mylearn.oracle.com and look for the Cloud Business Jumpstart course. Next week, we'll explore security and compliance in OCI. Until next time, this is Lois Houston… Nikita: And Nikita Abraham signing off! 16:03 That's all for this episode of the Oracle University Podcast. If you enjoyed listening, please click Subscribe to get all the latest episodes. We'd also love it if you would take a moment to rate and review us on your podcast app. See you again on the next episode of the Oracle University Podcast.

Send us a textIn this episode of FedBiz'5, we break down the late-2025 signals that are already reshaping government contracting in 2026 – and what they really mean for small and mid-sized businesses. From the ongoing FAR overhaul and tightening cybersecurity expectations under CMMC, to FedRAMP 20x, GSA Schedule ordering trends, evolving SBA certification processes, and a more dynamic SAM.gov, the rules of the game aren't changing overnight – but the playing field definitely is.You'll learn how these six trends are showing up in real proposals, registrations, and contract vehicles, why “good enough” boilerplate and outdated profiles are becoming a liability, and how disciplined, low-friction vendors can actually turn this wave of change into an advantage.Whether you're already winning federal work or gearing up for a stronger 2026, this episode will help you focus on the operational tweaks that matter most – so you can stay compliant, stay visible, and stay competitive as the new landscape takes shape.Visit us: FedBizAccess.com Stay Connected: Follow Us on Facebook Follow Us on LinkedIn Need help in the government marketplace? Call a FedBiz Specialist today: 844-628-8914 Or, schedule a complimentary consultation at your convenience.

⬥EPISODE NOTES⬥Artificial intelligence is reshaping how public health organizations manage data, interpret trends, and support decision-making. In this episode, Sean Martin talks with Jim St. Clair, Vice President of Public Health Systems at a major public health research institute, Altarum, about what AI adoption really looks like across federal, state, and local agencies.Public health continues to face pressure from shifting budgets, aging infrastructure, and growing expectations around timely reporting. Jim highlights how initiatives launched after the pandemic pushed agencies toward modernized systems, new interoperability standards, and a stronger foundation for automated reporting. Interoperability and data accessibility remain central themes, especially as agencies work to retire manual processes and unify fragmented registries, surveillance systems, and reporting pipelines.AI enters the picture as a multiplier rather than a replacement. Jim outlines practical use cases that public health agencies can act on now, from community health communication tools and emergency response coordination to predictive analytics for population health. These approaches support faster interpretation of data, targeted outreach to communities, and improved visibility into ongoing health activity.At the same time, CISOs and security leaders are navigating a new risk environment as agencies explore generative AI, open models, and multi-agent systems. Sean and Jim discuss the importance of applying disciplined data governance, aligning AI with FedRAMP and state-level controls, and ensuring that any model running inside an organization's environment is treated with the same rigor as traditional systems.The conversation closes with a look at where AI is headed. Jim notes that multi-agent frameworks and smaller, purpose-built models will shape the next wave of public health technology. These systems introduce new opportunities for automation and decision support, but also require thoughtful implementation to ensure trust, reliability, and safety.This episode presents a realistic, forward-looking view of how AI can strengthen the future of public health and the cybersecurity responsibilities that follow.⬥GUEST⬥Jim St. Clair, Vice President, Public Health Systems, Altarum  | On LinkedIn: https://www.linkedin.com/in/jimstclair/⬥HOST⬥Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥RESOURCES⬥N/A⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

As 2025 and the first year of the second Trump administration come to a close, Federal CIO Greg Barbaccia sat down with FedScoop reporter Madison Alder for a wide-ranging interview on the state of federal IT, including critical initiatives like FedRAMP modernization, AI adoption, federal tech talent, the consolidation of federal tech and contracting, what's ahead in 2026, and much more. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast  on Apple Podcasts, Soundcloud, Spotify and YouTube.

⬥EPISODE NOTES⬥Artificial intelligence is reshaping how public health organizations manage data, interpret trends, and support decision-making. In this episode, Sean Martin talks with Jim St. Clair, Vice President of Public Health Systems at a major public health research institute, Altarum, about what AI adoption really looks like across federal, state, and local agencies.Public health continues to face pressure from shifting budgets, aging infrastructure, and growing expectations around timely reporting. Jim highlights how initiatives launched after the pandemic pushed agencies toward modernized systems, new interoperability standards, and a stronger foundation for automated reporting. Interoperability and data accessibility remain central themes, especially as agencies work to retire manual processes and unify fragmented registries, surveillance systems, and reporting pipelines.AI enters the picture as a multiplier rather than a replacement. Jim outlines practical use cases that public health agencies can act on now, from community health communication tools and emergency response coordination to predictive analytics for population health. These approaches support faster interpretation of data, targeted outreach to communities, and improved visibility into ongoing health activity.At the same time, CISOs and security leaders are navigating a new risk environment as agencies explore generative AI, open models, and multi-agent systems. Sean and Jim discuss the importance of applying disciplined data governance, aligning AI with FedRAMP and state-level controls, and ensuring that any model running inside an organization's environment is treated with the same rigor as traditional systems.The conversation closes with a look at where AI is headed. Jim notes that multi-agent frameworks and smaller, purpose-built models will shape the next wave of public health technology. These systems introduce new opportunities for automation and decision support, but also require thoughtful implementation to ensure trust, reliability, and safety.This episode presents a realistic, forward-looking view of how AI can strengthen the future of public health and the cybersecurity responsibilities that follow.⬥GUEST⬥Jim St. Clair, Vice President, Public Health Systems, Altarum  | On LinkedIn: https://www.linkedin.com/in/jimstclair/⬥HOST⬥Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥RESOURCES⬥N/A⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

Back in 2011, FedRAMP was put together because each federal agency had to conduct its own time-consuming security audit. The idea was to standardize security to reduce costs and accelerate cloud adoption.   About ten years later, state leaders saw the same problem. Over the years, they worked out a security guidance package that was released this year. GovRAMP was launched to address many of the same challenges faced by the federal government: to establish a standard that enables transparency, standardization, and community. GovRamp's framework is based on NIST 800-53 rev5.   Tony O'Neil from Massachusetts observed that before GovRAMP, each state had a patchwork of security guidelines. With so much variation across states, a simplified environment could reduce costs and enable leaders to adopt a mindset of investing in people.   Today, we sat down with data security experts who detailed the implementation of compliance to improve data security and compliance. The conversation also covered the importance of continuous monitoring, the role of CSPs in maintaining security, and the necessity of proper resource allocation for cybersecurity professionals.        

Bob Friday, Chief AI Officer for HPE Networking, discusses how federal agencies are rethinking network modernization in the face of rising complexity, new security demands, and the accelerating influence of AI. Friday shares what he's hearing from federal IT leaders about their most urgent challenges—cloud migration hurdles, stringent security requirements like FedRAMP and FIPS, and the staffing constraints shaping today's modernization efforts. He also breaks down the technology trends driving HPE's approach, including the shift to real-time AI-ops, the organizational changes required to fully leverage agentic AI, and how HPE's acquisition of Juniper Networks strengthens the push toward a “self-driving network.”

In this episode of UC Today, host Kieran Devlin sits down with Amit Barave, Vice President of Product Management at Webex by Cisco, to explore how the collaboration giant is securing digital communication in an era of AI-powered threats, distributed teams, and rising compliance demands. From zero trust principles to vertical-specific safeguards, this discussion offers a deep dive into how Webex is redefining trust and usability for enterprises worldwide.How do you secure every click, call, and conversation—without killing collaboration? In this thought-provoking interview, Webex's Amit Barave shares how his team is building security directly into the DNA of the Webex Suite—while ensuring the user experience remains intuitive and frictionless.

Operating as a small business in government contracting is expensive and competitive. Everyone tells you to "stand out" and "differentiate," but when you're already stretched thin on resources, how do you decide where to invest?In this co-host episode, Tasha and Yas tackle the real costs and challenges of strategic differentiation. They explore how selling hardware and software products can create new revenue streams (and what compliance hurdles you'll face), examine certifications like CMMC and CMMI that can unlock contract opportunities (and whether the six-figure price tags are worth it), and discuss creative diversification strategies that don't require massive capital investments.From GSA Schedules and FedRAMP certification to strategic partnerships and niche specialization, this episode delivers an honest conversation about what it takes to compete effectively in today's GovCon market. Whether you're considering your first product line, evaluating whether a certification makes sense for your business stage, or exploring SLED and commercial opportunities, Tasha and Yas provide a practical decision framework to help you invest strategically.Key topics covered include product sales and the compliance differences between hardware and software, how to prioritize certifications like CMMC, CMMI, ISO, and FedRAMP, and alternative differentiation strategies such as geographic expansion, partnerships, IP development, and niche specialization. They also break down real cost and timeline expectations for each option, along with a clear decision-making framework that highlights green lights and red flags for smart investments. The episode even includes accessible strategies designed specifically for businesses under $5M in revenue.Whether you're new to the GovCon space or a seasoned professional looking to grow with intention, this episode provides the honest insights you need to make smarter decisions about differentiation and investment.Call(s) to Action:Interested in learning more about or leveraging Collective's services? Click here to schedule a call and learn more about how Collective can help power your business.Help spread the word about Unveiled: GovCon Stories.Do you want to be a guest or recommend a topic that you would like to learn or hear about on the podcast? Let us know through our guest feedback and registration form.Sponsors:The views and opinions expressed in this podcast are solely those of the hosts and guests, and do not reflect the views or endorsements of our sponsors.Withum – Diamond Sponsor!Withum is a forward-thinking, technology-driven advisory and accounting firm, helping clients to be in a position of strength in today's complex business environment. Go to Withum's website to learn more about how they can help your business! Hosted on Acast. See acast.com/privacy for more information.

Perplexity AI, an AI-powered search engine, is ramping up its push for government use, inking a new deal with the General Services Administration to offer its product for just 25 cents per agency. GSA announced the deal with Perplexity on Wednesday, emphasizing that the product will be offered directly through the agency's Multiple Award Schedule rather than through a government reseller, a first-of-its-kind agreement. The move aligns with GSA's OneGov initiative, which aims to work directly with technology vendors to cut prices and streamline contracting. Under the deal, Perplexity's Enterprise Pro for Government will be available on GSA's MAS for a quarter to agencies over an 18-month term. In doing so, Perplexity also received prioritized authorization under FedRAMP, the government's primary security review program that approves cloud-based technologies for federal use. Perplexity is only the second company to do so, joining OpenAI, which received prioritized authorization in September. According to GSA, Perplexity's Enterprise platform was also streamlined through the FedRAMP 20x pilot, which is focused on simplifying the cloud services approval process and reducing the timeline from months to weeks. Perplexity's platform uses large language models from other companies, such as Anthropic's Claude or OpenAI's ChatGPT, to conduct real-time internet searches and generate summaries for users. GSA noted Perplexity's platform has optional connections to common agency systems like Microsoft's OneDrive, Outlook or SharePoint. The Department of Health and Human Services is exploring how artificial intelligence can support caregivers with the launch of a new $2 million prize competition for AI caregiver tools. HHS Secretary Robert F. Kennedy Jr. announced the “Caregiver Artificial Intelligence Prize Competition” at an event Tuesday for National Family Caregivers Month, stating the agency is calling on engineers, scientists and entrepreneurs to use AI to “make caregiving smarter, simpler and more humane.” Kennedy said: “Many caregivers work around the clock, 24 hours a day, seven days a week, taking care of their loved ones with lifelong disabilities, dementia or chronic illness. Too many lose their income, their job, their aspirations and ambitions for themselves and even their own health in the process.” The HHS's Administration for Community Living (ACL) emphasized that the direct care workforce is facing increased shortages, leaving family caregivers to fill the void. According to an AARP report published in July, nearly 1 in 4 adults provided ongoing care for an adult or child with a complex medical condition or disability. These caregivers spend, on average, about $7,200 a year in out-of-pocket caregiving expenses, the report found. The competition will seek tools that benefit the professional care workforce or personal caregivers. Developers could be awarded up to $2 million for the products. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast  on Apple Podcasts, Soundcloud, Spotify and YouTube.

In this episode, host Tom Suder, Founder of the Advanced Technology Academic Research Center, sits down with Allen Hill, retired Chief Information Officer at the Federal Communications Commission, for a reflective conversation on four decades of service in federal IT. They explore the FCC's cloud transformation, the shift to secure FedRAMP environments, and the importance of building technical teams that can both architect and execute modernization at scale. Beyond technology, Hill offers perspective on leadership, mentorship, and sustaining a mission driven career in public service. Whether you work in federal IT, lead modernization initiatives, or follow the evolution of government technology, this episode provides valuable insight from one of the community's most respected CIOs.

Send us a textThis week's customer experience and marketing technology updates highlight a clear shift toward deeper intelligence, tighter collaboration, and more secure enterprise-grade platforms. CallMiner strengthened its conversational analytics footprint with the acquisition of VOCALLS, while Contentstack expanded its composable ecosystem by launching the new Data and Insights solution. Mosaicx introduced the next generation of its Engage platform, and Salesforce continued its march toward unified workflows by embedding Slack directly into CRM collaboration. In the government and regulated markets, Talkdesk achieved FedRAMP authorization for its CX Cloud Government Edition, signaling a major milestone for secure cloud CX. Meanwhile, Treasure Data rolled out five new AI suites aimed at enhancing customer experiences, Uniphore unveiled a new suite of AI marketing agents, and Zeta Global provided fresh details on its new Zeta Answers offering—collectively reflecting increased innovation and maturity across the CX and martech landscape.In today's episode, we invited a panel of industry analysts for a live discussion on LinkedIn to analyze current enterprise software stories. We covered many grounds including the direction and roadmaps of each enterprise software vendors. Finally, we analyzed future trends and how they might shape the enterprise software industry.Video: https://www.youtube.com/watch?v=85vq3s9786EQuestions for Panelists?

I have a surprise for you --- the last GRC Academy podcast!In this last episode, Michael Greenman from Deltek shares the journey to FedRAMP Moderate Equivalency for Deltek Costpoint GovCon Cloud Moderate (GCC-M).And let me tell you, it's quite a story: changes in the control baseline, new policy from the DoW, and lessons learned.Here are some of the biggest takeaways:The real-world implications of DoW's equivalency definitionHow the absence of continuous monitoring shapes the trust modelHow Deltek developed a customer responsibility matrix that reduces friction for their customersShould the DoW blow up FedRAMP moderate equivalency?We also discussed improvements that can be made by the DoW, the Cyber AB, and more!We recorded this months ago, but this conversation is still very relevant.On another note, it is kind of surreal to think this is the last episode of the GRC Academy podcast. I hope you've enjoyed listening!!What were your biggest takeaways? Let me know in the comments.Follow Michael on LinkedIn: https://www.linkedin.com/in/michael-greenman-94952a3/Deltek Costpoint GCC-M: https://www.deltek.com/en/government-contracting/costpoint/cloud-----------Online GRC Training: https://tekfused.com/marketplace/?utm_source=podcast&utm_medium=s2-12&utm_campaign=marketplace#cmmc

In this episode of the Global Risk Community podcast, we explore the critical topic of CMMC 2.0 and FedRAMP Compliance and why early action saves contracts. Our host, Boris Agranovich, speaks with Shrav Mehta, founder and CEO of Secureframe, a leader in simplifying compliance processes for businesses. Shrav shares his expert insights on navigating the complex compliance landscape for federal contractors, focusing on CMMC 2.0 requirements and the transformative impact of the new FedRAMP 20x framework. Learn how early action on compliance can save your contracts, streamline workflows, and ensure your organization stays competitive in the defense and federal sectors. We discussed the challenges and costs contractors face with CMMC Level 1 and Level 2 certifications, the differences between FedRAMP and CMMC, and how automation and tools like Secureframe can make compliance more accessible and effective. Shrav also shared his perspective on why prioritizing compliance now is crucial for success in the defense industry.  

Send us a textThe enterprise tech landscape saw a wave of AI-driven advancements this week, with major vendors pushing deeper into intelligent automation and unified customer experiences. Sage introduced its AI-powered Copilot to Sage X3, while Storyblok rolled out two new integrations to strengthen content operations. Workday expanded its ecosystem with a new AI Agent Partner Network and Gateway, and AdDaptive Intelligence broadened its AI-powered advertising platform. In the CX space, CallMiner acquired VOCALLS and Mosaicx launched the next generation of its Engage platform. Contentstack unveiled a new Data and Insights solution, Salesforce embedded Slack for tighter CRM collaboration, and Talkdesk secured FedRAMP authorization for its CX Cloud Government Edition. Rounding out the announcements, Treasure Data released five new AI suites focused on customer experience, Uniphore introduced a suite of AI marketing agents, and Zeta Global shared details on its new Zeta Answers offering—collectively signaling an accelerating shift toward more intelligent, integrated, and automated digital ecosystems.In today's episode, we invited a panel of industry analysts for a live discussion on LinkedIn to analyze current enterprise software stories. We covered many grounds including the direction and roadmaps of each enterprise software vendors. Finally, we analyzed future trends and how they might shape the enterprise software industry.Video: https://www.youtube.com/watch?v=iplWl80n90YZhdGlxBackground Soundtrack: Away From You – Mauro SommQuestions for Panelists?

Today, we take a nuanced look at automating cyber risk management.   Let's start with ingress of data.  Kemp Jennings-Roach from the DoD understands the concept of having a complete inventory of an agency's data. Still, his experience shows that data coming in from multiple missions, potentially with various classifications, can be challenging.   Combine that with varying kinds of reporting requirements, and you get a process that can overwhelm even the most experienced individuals. His recommendation is to consider a platform approach that can help normalize data, allowing it to be used in a meaningful way.   Matt Goodrich from Diligent expands on some of the benefits of automation. For example, you may have a shortage of talent that can be compensated for with an automated platform. Automation reduces human error and can speed up the time to report.   Goodrich makes a great point about summarizing information. The goal of reviewing logs for anomalies is not to create a report, but to increase speed to action.      Rather than arbitrarily selecting an automated system, Goodrich suggests looking for tools that can integrate with existing systems and align with compliance frameworks, such as FedRAMP and NIST CSF.    

Keywordscybersecurity, technology, AI, IoT, Intel, startups, security culture, talent development, career advice  SummaryIn this episode of No Password Required, host Jack Clabby and Kayleigh Melton engage with Steve Orrin, the federal CTO at Intel, discussing the evolving landscape of cybersecurity, the importance of diverse teams, and the intersection of technology and security. Steve shares insights from his extensive career, including his experiences in the startup scene, the significance of AI and IoT, and the critical blind spots in cybersecurity practices. The conversation also touches on nurturing talent in technology and offers valuable advice for young professionals entering the field.  TakeawaysIoT is now referred to as the Edge in technology.Diverse teams bring unique perspectives and solutions.Experience in cybersecurity is crucial for effective team building.The startup scene in the 90s was vibrant and innovative.Understanding both biology and technology can lead to unique career paths.AI and IoT are integral to modern cybersecurity solutions.Organizations often overlook the importance of security in early project stages.Nurturing talent involves giving them interesting projects and autonomy.Young professionals should understand the hacker mentality to succeed in cybersecurity.Customer feedback is essential for developing effective security solutions.  TitlesThe Edge of Cybersecurity: Insights from Steve OrrinNavigating the Intersection of Technology and Security  Sound bites"IoT is officially called the Edge.""We're making mainframe sexy again.""Surround yourself with people smarter than you."  Chapters00:00 Introduction to Cybersecurity and the Edge01:48 Steve Orrin's Role at Intel04:51 The Evolution of Security Technology09:07 The Startup Scene in the 90s13:00 The Intersection of Biology and Technology15:52 The Importance of AI and IoT20:30 Blind Spots in Cybersecurity25:38 Nurturing Talent in Technology28:57 Advice for Young Cybersecurity Professionals32:10 Lifestyle Polygraph: Fun Questions with Steve

First Resonance provides factory orchestration and coordination software for scaling hardware companies. Founded by SpaceX veterans in 2019, the company focused on filling the gap between legacy manufacturing systems and the needs of emerging hard tech startups. In a recent episode of Category Visionaries, we sat down with Karan Talati, CEO & Co-Founder of First Resonance, to learn about the company's journey building Ion—their manufacturing operations platform—and how they're enabling companies scaling from R&D prototypes to production manufacturing across aerospace, defense, nuclear energy, and advanced manufacturing. Topics Discussed: Karan's time at SpaceX during hypergrowth (employee 2,000 to 6,000+) and the transition from single rocket design to production operations Why First Resonance walked away from pursuing legacy aerospace and defense giants The failed PLG experiment and pivot to enterprise sales with product analytics for expansion How the "new space" pattern is repeating in nuclear energy and other hard tech verticals Market expansion from aerospace into nuclear energy over the past three to four years Advanced manufacturing technology convergence enabling electric aviation (battery density, composite manufacturing, 3D printing) AI's role in breaking down knowledge silos between mechanical, electrical, and software engineering Defense contractor security requirements: CMMC, FedRamp, and NIST 800-171 Brand strategy targeting the new manufacturing workforce versus the retiring old guard GTM Lessons For B2B Founders: Kill upmarket plans when your core segment outpaces them: First Resonance planned to move from scale-ups to traditional defense and aviation giants. They didn't execute. Karan found that staying with scaling startups delivered faster growth and higher ROI than "long sales cycles" with customers "averse to modern technology." The lesson isn't about patience with enterprise—it's about recognizing when your initial segment is expanding faster than you can capture it. If your TAM is growing 40%+ annually from customer expansion alone, moving upmarket is a distraction. Test PLG fast, kill it faster in multi-stakeholder environments: First Resonance ran a PLG experiment and "quickly learned it does not" work in manufacturing. The buying process involves "centralized, coordinated, orchestrated, many decision makers, many influencers." But they kept the instrumentation. They use "product utilization and usage and engagement" data to "package subsequent value" for renewals and expansion. The tactical move: instrument your product like PLG, sell like enterprise, and use analytics to drive net dollar retention during annual renewals. Treat cloud service provider status as a wedge, not overhead: As a cloud service provider to defense contractors, First Resonance maintains compliance with CMMC, FedRamp, and NIST 800-171. Rather than viewing this as cost center, Karan noted "regulations are getting easier, not harder" and that this is "a benefit to innovators." For B2B founders selling to regulated industries: invest in compliance infrastructure early, monitor regulatory roadmaps (like FedRamp 20x), and position compliance as competitive moat when competitors can't move as quickly. Pattern match your wedge vertical to adjacent disruption: First Resonance saw their aerospace playbook repeat in nuclear energy "literally in the last three, four years." The pattern: legacy incumbents "too big to fail" but "so large and inertial, so hard to move, that startups are going to have to come in and close that gap." When one vertical shows this pattern, adjacent industries with similar incumbent dynamics are expansion candidates. The key signal: former SpaceX/Tesla talent founding companies in that vertical. Design brand for the incoming generation, not the incumbent buyer: With the old guard "rapidly retiring" and manufacturing becoming "cool," First Resonance built a brand with "bold colors and straight lines" that "combines cybernetic systems with inspiration from the Matrix." Karan explicitly rejected softer design trends: "throw all that out." For technical products in industries with demographic shifts, design for the 30-year-old engineer who will champion your tool, not the 55-year-old executive who signs the contract. Deepen rather than proliferate when customers expand physically: First Resonance doesn't worry about logo count because their customers are "scaling in terms of factory square footage and the number of teams." Their expansion motion: "observe product analytics and customer signals and package subsequent value" for upselling during renewals. The tactic works because aerospace and energy have "a tailwind of decades." For infrastructure software with usage tied to physical operations: if customers are adding factories or production lines, you don't need new logos—you need seat expansion and module attach. // Sponsors: Front Lines — We help B2B tech companies launch, manage, and grow podcasts that drive demand, awareness, and thought leadership. www.FrontLines.io The Global Talent Co. — We help tech startups find, vet, hire, pay, and retain amazing marketing talent that costs 50-70% less than the US & Europe. www.GlobalTalent.co // Don't Miss: New Podcast Series — How I Hire Senior GTM leaders share the tactical hiring frameworks they use to build winning revenue teams. Hosted by Andy Mowat, who scaled 4 unicorns from $10M to $100M+ ARR and launched Whispered to help executives find their next role. Subscribe here: https://open.spotify.com/show/53yCHlPfLSMFimtv0riPyM    

CX Today's Charlie Mitchell reveals the big news that Content Guru has become the "first full-stack" CCaaS vendor to secure FedRAMP High Authorization.The High accreditation level is built for agencies handling highly sensitive data - like law enforcement, healthcare, emergency services, and finance - where strict security is critical. FedRAMP's High baseline safeguards the government's most sensitive unclassified data in the cloud, protecting lives, operations, and financial security.As such, this is a big step for Content Guru, which secures a big differentiator as it bids to bring cautious enterprises to the cloud, in the public sector, and beyond.Andrew Casson, VP of Public Sector at Content Guru, stresses this in his interview with CX Today's Head of Publication. He also discusses:- The ins and outs of the FedRAMP certification.- The differentiative features Content Guru offers in the public sector.- Examples of Content Guru supporting cautious customers through their CCaaS migrations.For more on Content Guru's expansive CCaaS portfolio, visit: https://www.contentguru.com/

In this episode of UC Today, host Kieran Devlin sits down with Amit Barave, Vice President of Product Management at Webex by Cisco, to explore how the collaboration giant is securing digital communication in an era of AI-powered threats, distributed teams, and rising compliance demands. From zero trust principles to vertical-specific safeguards, this discussion offers a deep dive into how Webex is redefining trust and usability for enterprises worldwide.How do you secure every click, call, and conversation—without killing collaboration? In this thought-provoking interview, Webex's Amit Barave shares how his team is building security directly into the DNA of the Webex Suite—while ensuring the user experience remains intuitive and frictionless.

Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com MongoDB has spent years earning a formidable reputation in the developer world; today, we will unpack some of its capabilities for project managers and federal leaders so they can understand where MongoDB may fit in their stack. Conventional wisdom is that MongoDB is a flexible open-source database. Although that is true, this does not do justice to some characteristics that will appeal to the federal audience. ONE: An agency may have restrictions on where the cloud is not suitable for storage. Because of its ability to use flexible, JSON-like documents, MongoDB has listened to those needs and can have storage in many varying regions.   In fact, we have seen a movement to move cloud applications back on premises. MongoDB provides flexibility for working in both hybrid and on-premises environments. TWO:  Most readers have studied encryption and think of it primarily as data at rest. Cloud storage transitions have forced a method where data is encrypted during transit. MongoDB can take encrypted data and search while it remains encrypted. Some will describe encryption at rest, in transit, and now, data in use.  THREE   MongoDB has listened to the federal community and is offering something called MongoDB Atlas for Government. It is a secure, fully managed cloud database service for U.S. Government agencies to modernize applications and oversee sensitive data. During the interview, Ben Cephalo revealed the effort MongoDB is making to serve federal agencies that require FedRAMP high capabilities.  

In this episode, I sit down with Mitchel Herckis, Global Head of Government Affairs at cloud security leader Wiz. We will be discussing all things public sector and cybersecurity, including the evolution of the FedRAMP program, modernizing vulnerability management, and the future of Continuous ATO (cATO).We covered a lot of ground, including:Mitch's background, both at Wiz and inside Government at roles such as OMBHow Wiz is working with Federal agencies and Defense Industrial Base (DIB) partners on Cloud Security, including the long-needed overhaul of FedRAMP with FedRAMP 20x's efforts.The move towards real Continuous Monitoring (ConMon) with real-time visibility of cloud environments, as well as the need for machine-readable artifacts, automations, and streamlined security control assessments.The modernization of vulnerability management, including factors such as attack paths, reachability, exploitability, known exploitation, and the importance of focusing on real risks versus noise.Moving away from paper-based compliance exercises and bridging the gap between security and compliance.Wiz's role as a CVE Numbering Authority (CNA) and the broader CVE program, including its importance for both the Government and industry when it comes to vulnerability management.To evolving usage of SBOMs and broader supply chain security.Disjointed efforts around the Government at both the Federal at State levels when it comes to Continuous ATO (cATO) and how we can move towards a more cohesive approach to modern system assessment and authorization.The importance of Government Affairs and bridging the divide between industry and Government, including bringing in tech leaders into Government, influencing policy, and improving outcomes for citizens and warfighters alike.The dual-edged sword that is AI adoption in the public sector.

Peter O'Donohue, CTO at Tyto Athene, and Gaurav “GP” Pal, Principal at Stack Armor join the show to unpack the future of federal compliance, security, and cloud modernization. From automating risk management frameworks to balancing mission urgency with cybersecurity, the discussion dives into how government and industry can partner to drive efficiency, accountability, and continuous monitoring. Finally we explore insights on the evolution of FedRAMP, secure-by-design practices, and the role of AI and quantum in shaping the next five years of compliance.

In this episode of Resilient Cyber, I sit down with Founder & CEO of Paramify, Kenny Scott, to unpack the evolution of the FedRAMP program, FedRAMP 20x, and discuss what the public sector cloud compliance looks like moving into the future.Kenny and I dove into a lot of topics, including:What FedRAMP is and why it mattersWhat FedRAMP 20x is and what longstanding challenges associated with FedRAMP and public sector cloud and compliance it is addressingThe various aspects of FedRAMP 20x, including its phased rolloutChanges via FedRAMP 20x when it comes to Key Security Indicators (KSI), and how they differ from “controls”FedRAMP's modern vulnerability management approach and how it changes from the way vulnerability was historically handled under FedRAMPThe importance of automated assessments, machine-readable artifacts, real Continuous Monitoring (ConMon), and more for practical GRC EngineeringThe role of GRC platforms when it comes to modernizing GRCWhat are the implications of FedRAMP 20x for other public sector compliance programs, such as DoD's SWFT, SRG, and RMFSubscribe now

Senate Commerce Committee Chairman Ted Cruz said he would introduce legislation to establish AI sandboxes to allow companies “room to breathe” without running up against regulations. Cruz announced that proposal as well as a legislative framework for AI policy ahead of a Wednesday hearing before the Subcommittee on Science, Manufacturing, and Competitiveness on the administration's recent AI Action Plan. The concept of regulatory sandboxes were among the more than 90 policy recommendations outlined in that document. Cruz said during the hearing: “Under the Sandbox Act, an AI user developer can identify obstructive regulations and request a waiver or a modification, which the government may grant for two years via a written agreement that must include a participant's responsibility to mitigate health or consumer risks,” adding that “a regulatory sandbox is not a free pass. People creating or using AI still have to follow the same laws as everyone else.” Drew Myklegard is stepping down from his role as deputy federal CIO after nearly four years, FedScoop has learned. Two sources with knowledge of the matter said Myklegard told colleagues he's taking a role in the private sector and that his last day will be Sept. 22. A holdover from the Biden administration, Myklegard was appointed to the deputy federal CIO role in early 2022, after a more than eight-year stint in supporting IT operations at the Department of Veterans Affairs. During his time in the Office of the Federal CIO, he championed a number of key governmentwide technology modernization initiatives, including rolling out a new policy reforming federal cloud security authorizations under FedRAMP and guidance on how agencies acquire and inventory AI tools, among others. On Monday, Myklegard was recognized with a FedScoop 50 award in the Golden Gov: Federal Executive of the Year category. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast  on Apple Podcasts, Soundcloud, Spotify and YouTube.

With volatility now the norm, security and risk leaders need practical guidance on managing existing spending and new budgetary necessities. Where should they look? Jess Burn, Principal Analyst at Forrester Research, joins Business Security Weekly to discuss Forrester's Budget Planning Guide 2026: Security And Risk. This data-and-insights-driven report provides spending benchmarks and recommendations that will help you budget for an unpredictable near term while enabling the business and mitigating the most critical risks facing your organization. If you're preparing your 2026 budgets, don't miss this interview where you'll learn where to invest, divest, and experiment. From the buzzing floors of BlackHat 2025 in Las Vegas, CyberRisk TV brings you an exclusive sit-down with Danny Jenkins, CEO & Co-Founder of ThreatLocker. In this high-energy interview, host Doug White dives deep into the real-world challenges of FedRAMP compliance, the million-dollar prep lessons, and the critical importance of secure configurations. Danny shares unfiltered insights into Defense Against Misconfigurations — ThreatLocker's new approach that helps organizations lock down endpoints, enforce application control, and spot hidden risks before attackers do. From Russian-made 7Zip to Chinese coupon clippers lurking in browsers, the conversation reveals shocking examples of threats hiding in plain sight. Whether you're a cybersecurity pro, IT leader, or compliance specialist, this interview offers a rare, behind-the-scenes look at the pain, process, and payoff of operating at the highest security standards in the industry. Segment Resources: https://threatlocker.com/platform/defense-against-configuration?utmsource=cyberriskalliance&utmmedium=sponsor&utmcampaign=blackhat25q325&utmcontent=blackhat25&utm_term=podcast This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlockerbh to learn more about them! Live from the CyberRisk TV studio at Black Hat 2025 in Las Vegas, host Matt Alderman sits down with Matt Muller, Field CISO at Tines, for a deep-dive into how Security Operations Centers must evolve. From blowing up the outdated tier system to empowering junior analysts with AI, this conversation uncovers the real strategies driving next-gen cyber defense. Muller explains why traditional SOC models create burnout, how AI can flatten team structures, and why measuring the right metrics—like Mean Time to Detect—is critical for success. They tackle the balance of human + AI orchestration, the security challenges of non-human identities, and how to rethink access controls for a machine-augmented future. If you care about SOC transformation, AI-driven security workflows, and cyber resilience at scale, this is the conversation you can't afford to miss. Watch until the end for practical insights you can start applying today in your own security operations. This segment is sponsored by Tines. Visit https://securityweekly.com/tinesbh to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-412

With volatility now the norm, security and risk leaders need practical guidance on managing existing spending and new budgetary necessities. Where should they look? Jess Burn, Principal Analyst at Forrester Research, joins Business Security Weekly to discuss Forrester's Budget Planning Guide 2026: Security And Risk. This data-and-insights-driven report provides spending benchmarks and recommendations that will help you budget for an unpredictable near term while enabling the business and mitigating the most critical risks facing your organization. If you're preparing your 2026 budgets, don't miss this interview where you'll learn where to invest, divest, and experiment. From the buzzing floors of BlackHat 2025 in Las Vegas, CyberRisk TV brings you an exclusive sit-down with Danny Jenkins, CEO & Co-Founder of ThreatLocker. In this high-energy interview, host Doug White dives deep into the real-world challenges of FedRAMP compliance, the million-dollar prep lessons, and the critical importance of secure configurations. Danny shares unfiltered insights into Defense Against Misconfigurations — ThreatLocker's new approach that helps organizations lock down endpoints, enforce application control, and spot hidden risks before attackers do. From Russian-made 7Zip to Chinese coupon clippers lurking in browsers, the conversation reveals shocking examples of threats hiding in plain sight. Whether you're a cybersecurity pro, IT leader, or compliance specialist, this interview offers a rare, behind-the-scenes look at the pain, process, and payoff of operating at the highest security standards in the industry. Segment Resources: https://threatlocker.com/platform/defense-against-configuration?utmsource=cyberriskalliance&utmmedium=sponsor&utmcampaign=blackhat25q325&utmcontent=blackhat25&utm_term=podcast This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlockerbh to learn more about them! Live from the CyberRisk TV studio at Black Hat 2025 in Las Vegas, host Matt Alderman sits down with Matt Muller, Field CISO at Tines, for a deep-dive into how Security Operations Centers must evolve. From blowing up the outdated tier system to empowering junior analysts with AI, this conversation uncovers the real strategies driving next-gen cyber defense. Muller explains why traditional SOC models create burnout, how AI can flatten team structures, and why measuring the right metrics—like Mean Time to Detect—is critical for success. They tackle the balance of human + AI orchestration, the security challenges of non-human identities, and how to rethink access controls for a machine-augmented future. If you care about SOC transformation, AI-driven security workflows, and cyber resilience at scale, this is the conversation you can't afford to miss. Watch until the end for practical insights you can start applying today in your own security operations. This segment is sponsored by Tines. Visit https://securityweekly.com/tinesbh to learn more about them! Show Notes: https://securityweekly.com/bsw-412

With volatility now the norm, security and risk leaders need practical guidance on managing existing spending and new budgetary necessities. Where should they look? Jess Burn, Principal Analyst at Forrester Research, joins Business Security Weekly to discuss Forrester's Budget Planning Guide 2026: Security And Risk. This data-and-insights-driven report provides spending benchmarks and recommendations that will help you budget for an unpredictable near term while enabling the business and mitigating the most critical risks facing your organization. If you're preparing your 2026 budgets, don't miss this interview where you'll learn where to invest, divest, and experiment. From the buzzing floors of BlackHat 2025 in Las Vegas, CyberRisk TV brings you an exclusive sit-down with Danny Jenkins, CEO & Co-Founder of ThreatLocker. In this high-energy interview, host Doug White dives deep into the real-world challenges of FedRAMP compliance, the million-dollar prep lessons, and the critical importance of secure configurations. Danny shares unfiltered insights into Defense Against Misconfigurations — ThreatLocker's new approach that helps organizations lock down endpoints, enforce application control, and spot hidden risks before attackers do. From Russian-made 7Zip to Chinese coupon clippers lurking in browsers, the conversation reveals shocking examples of threats hiding in plain sight. Whether you're a cybersecurity pro, IT leader, or compliance specialist, this interview offers a rare, behind-the-scenes look at the pain, process, and payoff of operating at the highest security standards in the industry. Segment Resources: https://threatlocker.com/platform/defense-against-configuration?utmsource=cyberriskalliance&utmmedium=sponsor&utmcampaign=blackhat25q325&utmcontent=blackhat25&utm_term=podcast This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlockerbh to learn more about them! Live from the CyberRisk TV studio at Black Hat 2025 in Las Vegas, host Matt Alderman sits down with Matt Muller, Field CISO at Tines, for a deep-dive into how Security Operations Centers must evolve. From blowing up the outdated tier system to empowering junior analysts with AI, this conversation uncovers the real strategies driving next-gen cyber defense. Muller explains why traditional SOC models create burnout, how AI can flatten team structures, and why measuring the right metrics—like Mean Time to Detect—is critical for success. They tackle the balance of human + AI orchestration, the security challenges of non-human identities, and how to rethink access controls for a machine-augmented future. If you care about SOC transformation, AI-driven security workflows, and cyber resilience at scale, this is the conversation you can't afford to miss. Watch until the end for practical insights you can start applying today in your own security operations. This segment is sponsored by Tines. Visit https://securityweekly.com/tinesbh to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-412

GSA and FedRAMP are fast-tracking cloud authorizations for AI tools, while Congress is pushing to prioritize skills over degrees in federal cyber jobs. Together, these moves signal a shift in how agencies adopt innovation and build talent. Here to share how federal contractors can prepare is Jim Carroll, CEO of the Professional Services Council.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

OpenAI has cleared another critical hurdle to selling its ChatGPT tool directly to the federal government. As of Tuesday, ChatGPT is listed as “in process” on the FedRAMP Marketplace, an online repository that tracks where companies stand in the FedRAMP security review process. While federal agencies can issue their own approvals to use technology platforms, FedRAMP is the government's primary security review program and is designed to clear widespread cloud-based technologies for use across federal agencies. OpenAI received prioritized authorization through 20x, a person familiar with the matter told FedScoop. It's the first company to receive this prioritization, which, in effect, eliminates the need for companies to find federal agencies to sponsor them for review. At one point, OpenAI had engaged USAID, its first enterprise customer, about helping them with the process, FedScoop previously reported, but the agency was mostly shuttered in the early days of the second Trump administration. The General Services Administration created the prioritized review for AI cloud services just last month. Microsoft will offer a host of its cloud services at a discounted price to the federal government, the General Services Administration announced Tuesday, including its artificial intelligence assistant Copilot at no cost to some agencies. The OneGov deal makes Microsoft the latest technology firm to leverage steep discounts on its cloud products to expand adoption within the federal government. It comes on the heels of GSA's deals with industry competitors like OpenAI, Anthropic and Google, which are separately offering their AI models to the government for a dollar or less. Under the new agreement, Microsoft will offer its subscription service, Microsoft 365, Azure Cloud Services, and Dynamics 365 — the company's suite of business management apps — for a “discounted price” for up to 36 months. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast  on Apple Podcasts, Soundcloud, Spotify and YouTube.

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance as he visits with top innovative minds, thinkers and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox visits with Lori Crooks, a seasoned professional in the field of cybersecurity and audit assessments, to discuss the evolution of auditing practices from physical infrastructure to cloud and AI.   Lori shares insights from her extensive career, highlighting key federal compliance frameworks like NIST 800-53, FedRAMP, and NIST 800-171. Lori stresses the importance of proactive compliance strategies and scalable GRC programs. As AI integration accelerates, she also touches on the challenges of adjusting compliance frameworks to keep pace with technological advancements, and the necessity of fostering collaboration within organizations to meet regulatory requirements effectively.  Key Highlights  Federal Auditing Frameworks Proactive Compliance Strategies Scalable GRC Programs AI and Compliance Landscape Future of Auditing in the Age of AI  Resources Lori Crooks on Linkedin Cadra  Tom Fox Instagram Facebook YouTube Twitter LinkedIn Check out my latest book Upping Your Game-How Compliance and Risk Management Move to 2023 and Beyond, available from Amazon.com.  Innovation in Compliance was recently honored as the number 4 podcast in Risk Management by 1,000,000 Podcasts.

FedRAMP 20x is redefining how federal cloud services get authorized —making them faster, smarter and more secure. Earlier this year GSA released the 20x pilot in an effort to increase the efficiency of authorizations and enhance security. Pete Waterman, FedRAMP director at the General Services Administration, unpacks how the program is streamlining approvals, enhancing continuous monitoring and leveraging automation to detect and resolve security risks in real time. Waterman explains how FedRAMP 20x is helping agencies and providers build services that make sense from the start, leading to stronger security and better mission outcomes.

Event Recap: Kieran Human at Black Hat USA 2025 — ThreatLocker Unveils Configuration Defense, Achieves FedRAMP Status & MoreThreatLocker introduced DAC configuration monitoring and achieved FedRAMP certification at Black Hat 2025, strengthening zero trust capabilities while expanding government market access through practical security solutions.Zero trust security continues evolving beyond theoretical frameworks into practical business solutions, as demonstrated by ThreatLocker's latest announcements at Black Hat USA 2025. The company introduced Defense Against Configuration (DAC), a monitoring tool addressing a critical gap in zero trust implementations.Kieran Human, Special Projects Engineer at ThreatLocker, explained the challenge driving DAC's development. Organizations implementing zero trust often struggle with configuration management, potentially leaving systems vulnerable despite security investments. DAC monitors configurations continuously, alerting administrators to potential security issues and mapping findings to compliance frameworks including Essential 8.The tool addresses human factors in security implementation. Technical staff sometimes create overly permissive rules to minimize user complaints, compromising security posture. DAC provides weekly reports to executives, ensuring oversight of configuration decisions and maintaining security standards across the organization.ThreatLocker's approach distinguishes itself through "denied by default, allowed by exception" methodology, contrasting with traditional endpoint detection and response solutions that permit by default and block threats reactively. This fundamental difference requires careful implementation to avoid business disruption.The company's learning mode capabilities address deployment concerns. With over 10,000 built-in application profiles, ThreatLocker automates policy creation while learning organizational workflows. This reduces manual configuration requirements that previously made zero trust implementations tedious and time-intensive.FedRAMP certification represents another significant milestone, opening government sector opportunities. Federal compliance requirements previously excluded ThreatLocker from certain contracts, despite strong customer demand for their zero trust capabilities. This certification enables expansion into highly regulated environments requiring stringent security controls.Customer testimonials continue validating the approach. One user reported preventing three breaches after implementing ThreatLocker's zero trust solution, demonstrating measurable security improvements. Such feedback reinforces the practical value of properly implemented zero trust architecture.The balance between security and business functionality remains crucial. Organizations need security solutions that protect assets without hampering productivity. ThreatLocker's principle of least privilege implementation focuses on enabling business requirements with minimal necessary permissions rather than creating restrictive environments that impede operations.Human described working closely with CEO Danny Jenkins, emphasizing the collaborative environment that drives product innovation. His engineering perspective provides valuable insights into customer needs while maintaining focus on practical security solutions that work in real-world environments.As zero trust adoption accelerates across industries, tools like DAC become essential for maintaining security posture while meeting business demands. The combination of automated learning, configuration monitoring, and compliance mapping addresses practical implementation challenges facing security teams today.Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974Note: This story contains promotional content. Learn more.Guest: Kieran Human, Special Project Engineer at ThreatLocker | On LinkedIn | https://www.linkedin.com/in/kieran-human-5495ab170/ResourcesLearn more and catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlockerLearn more and catch more stories from our Black Hat USA 2025 coverage: https://www.itspmagazine.com/bhusa25Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

The General Services Administration rolled out a new governmentwide tool Thursday that gives federal agencies the ability to test major artificial intelligence models, a continuation of Trump administration efforts to ramp up government use of automation. The AI evaluation suite, titled USAi.gov, launched Thursday morning and allow federal agencies to test various AI models, including those from Anthropic, OpenAI, Google and Meta to start, two senior GSA officials told FedScoop. The launch of USAi underscores the Trump administration's increasing appetite for AI integration into federal government workspaces. The GSA has described these tools as a way to help federal workers with time-consuming tasks, like document summaries, and give government officials access to some of the country's leading AI firms. The GSA, according to one of the officials, will act as a “curator of sorts” for determining which models will be available for testing on USAi. The official noted that additional models are being considered for the platform, with input from GSA's industry and federal partners, and that American-made models are the primary focus. Grok, the chatbot made by Elon Musk's xAI firm, is notably not included on the platform for its launch Thursday. Anthropic and OpenAI, two of the country's leading AI companies, recently announced that they're offering their powerful models to federal agencies for $1 for the next year. But the new deals, which are both available through a General Services Administration OneGov contract vehicle, don't on their own clear the way for widespread government adoption of artificial intelligence. Instead, the new financial incentive seems to be daring government officials to move quickly and approve the technology as soon as possible. Currently, no major AI provider is authorized under FedRAMP, a critical security program that allows agencies to use a company's cloud services — including software or models offered on a cloud service — across government. While several companies — including Anthropic, xAI and OpenAI — have released government-focused product suites, they're still somewhat dependent on cloud providers like Microsoft and Amazon that have already cleared the FedRAMP process. If AI companies want to sell much of their technology directly to the government, they need their own authorization-to-operate or ATO. What's changed, though, is that federal officials now have a new reason to move through security review processes more quickly, a former GSA employee and another person familiar with the matter both told FedScoop. That strategy could involve going through an authorization-to-operate process through an agency's authorizing official — typically, their chief information officer — as well as the security review process explicated by FedRAMP, both people said. GSA is now looking at strategies to speed up the process. An agency spokesperson confirmed that these companies still need to seek FedRAMP authorization if they want to offer their technology directly. But to make that happen faster, GSA is now consulting with the Chief Information Officers Council and the board that oversees FedRAMP about “prioritization for AI companies” that are added to GSA's multiple award schedule. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast  on Apple Podcasts, Soundcloud, Spotify and YouTube.

The Cybersecurity and Infrastructure Security Agency (CISA) is facing significant criticism from state and local officials who feel abandoned due to diminishing federal support for critical cybersecurity programs. Many officials are concerned about their increasing reliance on self-driven initiatives, especially after cuts to the Multi-State Information Sharing and Analysis Center, which has been a crucial source of cybersecurity intelligence for over two decades. A recent survey revealed that a substantial portion of state and local governments lack adequate funding for cybersecurity, with 22% allocating no funds and 42% operating with annual budgets of less than $100,000. This situation raises alarms about the potential for increased vulnerability to cyberattacks, particularly from nation-state actors.In response to the evolving landscape of artificial intelligence, the National Institute of Standards and Technology (NIST) is developing new security guidance aimed at addressing the associated risks. This initiative will clarify how AI interacts with cybersecurity, focusing on securing AI systems, the adversarial use of AI, and leveraging AI to enhance cybersecurity measures. Additionally, a bipartisan bill known as the Validation and Evaluation for Trustworthy Artificial Intelligence Act has been reintroduced in the Senate, aiming to establish guidelines for the responsible development and testing of AI systems. House appropriators are also proposing a significant funding increase for NIST, reflecting a commitment to bolster cybersecurity and innovation.The Federal Risk Management and Authorization Program (FedRAMP) has made strides in streamlining the approval process for government cloud services, achieving a significant reduction in wait times from over a year to approximately five weeks. This shift is part of a broader trend toward more efficient cloud authorization processes, with FedRAMP already approving more than twice as many services in fiscal year 2025 compared to the previous year. This development presents an opportunity for businesses to leverage FedRAMP-authorized stacks for government-related buyers and to build migration strategies accordingly.OpenAI has recently updated its ChatGPT platform, introducing new models and third-party tool connectors while facing scrutiny over the performance and security of its latest model, GPT-5. Despite the introduction of various user-focused options, security assessments have revealed significant vulnerabilities in GPT-5, prompting concerns about its safety and reliability. As companies like ConnectWise implement new credit card surcharges and adjust their workforce in response to market demands, the overarching theme emphasizes the need for operational discipline and strategic planning in navigating the evolving technology landscape. Four things to know today 00:00 Shrinking Cyber Budgets, Emerging AI Rules, and Streamlined FedRAMP Signal Shifts for IT Providers06:43 From Security to SaaS Management, Vendors Roll Out Agentic Features for IT Service Providers10:25 OpenAI Expands GPT-5 Options, Adds Connectors, but Faces Early Security Backlash13:41 ConnectWise Adds Credit Card Surcharges, Trims Staff in Strategic Realignment  Supported by:  https://syncromsp.com/   Tell us about a newsletter!https://bit.ly/biztechnewsletter  All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want to be a guest on Business of Tech: Daily 10-Minute IT Services Insights? Send Dave Sobel a message on PodMatch, here: https://www.podmatch.com/hostdetailpreview/businessoftech Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessof.tech

Federal agencies will now have access to Anthropic's Claude model for $1, the General Services Administration announced Tuesday, continuing the agency's push for artificial intelligence products across government. Under the OneGov deal, all three branches of government will be able to use Anthropic's Claude for Enterprise and Claude for Government for a nominal $1 fee. Approval for members of Congress and the judiciary is pending, the GSA noted. It is the latest in a series of deals between private AI firms and the federal government to increase the use of automation in agency workflows and boost workers' productivity and efficiency. Anthropic said in a release Tuesday: “We believe the U.S. public sector should have access to the most advanced AI capabilities to tackle complex challenges, from scientific research to constituent services. By combining broad accessibility with uncompromising security standards, we're helping ensure AI serves the public interest.” Anthropic's Claude for Government models have FedRAMP High certification and can be used by federal workers dealing with “sensitive unclassified work,” while Claude for Enterprise models have expanded features for data protection, Anthropic said. Anthropic said it will also offer technical support for agencies to implement its products into workflows. The Federal Risk Management and Authorization Program has already approved more than twice as many government cloud services in fiscal year 2025 as all of fiscal 2024, the General Services Administration announced Monday. FedRAMP reached 114 authorizations in July for fiscal 2025, along with four new cloud services through the FedRAMP 20x revamp program, according to a GSA statement. In fiscal 2024, FedRAMP authorized 49 cloud service providers, according to a GSA spokesperson. The reform program, unveiled in March, is focused on simplifying the authorization process and shaving the approval timeline from months to weeks. Eventually, agency sponsorship will no longer be needed to win authorization, a process that is often expensive and time-consuming. The new numbers come just over a year since the Office of Management and Budget published a memo calling for the modernization of the cloud authorization process. GSA said FedRAMP had a “significant backlog” at the time of the memo, with authorizations taking more than a year. A year later, FedRAMP's increased use of automation and streamlined workflows cut the wait time to about five weeks, the GSA said.

At Black Hat USA 2025, Danny Jenkins, CEO of ThreatLocker, shares how his team is proving that effective cybersecurity doesn't have to be overly complex. The conversation centers on a straightforward yet powerful principle: security should be simple enough to implement quickly and consistently, while still addressing the evolving needs of diverse organizations.Jenkins emphasizes that the industry has moved beyond selling “magic” solutions that promise to find every threat. Instead, customers are demanding tangible results—tools that block threats by default, simplify approvals, and make exceptions easy to manage. ThreatLocker's platform is built on this premise, enabling over 54,000 organizations worldwide to maintain a secure environment without slowing business operations.A highlight from the event is ThreatLocker's Defense Against Configurations (DAC) module. This feature performs 170 daily checks on every endpoint, aligning them with compliance frameworks like NIST and FedRAMP. It not only detects misconfigurations but also explains why they matter and how to fix them. Jenkins admits the tool even revealed gaps in ThreatLocker's own environment—issues that were resolved in minutes—proving its practical value.The discussion also touches on the company's recent FedRAMP authorization process, a rigorous journey that validates both the product's and the company's security maturity. For federal agencies and contractors, this means faster compliance with CMMC and NIST requirements. For commercial clients, it's an assurance that they're working with a partner whose internal security practices meet some of the highest standards in the industry.As ThreatLocker expands its integrations and modules, Jenkins stresses that simplicity remains the guiding principle. This is achieved through constant engagement with customers—at trade shows, in the field, and within the company's own managed services operations. By actively using their own products at scale, the team identifies friction points and smooths them out before customers encounter them.In short, the message from the booth at Black Hat is clear: effective security comes from strong fundamentals, simplified management, and a relentless focus on the user experience.Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974Note: This story contains promotional content. Learn more.Guest: Danny Jenkins, CEO of ThreatLocker | On LinkedIn | https://www.linkedin.com/in/dannyjenkinscyber/ResourcesLearn more and catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlockerLearn more and catch more stories from our Black Hat USA 2025 coverage: https://www.itspmagazine.com/bhusa25Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story

Bob Burke, Chief Information Security Officer at Beyond Identity, challenges the effectiveness of traditional multi-factor authentication (MFA) in the evolving landscape of cybersecurity. He argues that legacy MFA solutions, which often rely on out-of-band authorization methods like push notifications or one-time passwords, are no longer sufficient against the rising tide of sophisticated cyber threats. With the advent of services like phishing-as-a-service, attackers can easily bypass these outdated security measures, necessitating a shift towards phishing-resistant authentication methods. Burke emphasizes the need for organizations to adopt solutions that not only enhance security but also consider device posture and trustworthiness.Burke also critiques the current state of FIDO2 and passkeys, acknowledging their potential while highlighting their limitations, particularly in terms of device posture and user experience. He suggests that small to mid-sized businesses (SMBs) should prioritize phishing-resistant solutions that integrate both browser protection and device authentication. Furthermore, he raises concerns about the pricing models of many Software as a Service (SaaS) providers, which often place essential security features behind higher-tier subscriptions, effectively discouraging customers from adopting more secure practices.The conversation shifts to the endpoint detection and response (EDR) market, where Burke notes that while EDR solutions are still necessary, they are evolving into more comprehensive offerings like extended detection and response (XDR). He points out that many of these solutions are priced for enterprise-level organizations, leaving SMBs and mid-market companies struggling to find affordable options. Burke encourages these organizations to seek out solutions that fit their budget while still providing essential security capabilities.Finally, Burke shares insights from his experience with the FedRAMP certification process, emphasizing the importance of building internal security competencies and integrating security into product design from the outset. He advocates for a clear internal compliance program, such as NIST, to guide organizations in their security efforts. As the cybersecurity landscape continues to evolve, Burke warns that the tempo and scope of attacks are increasing, driven by advancements in AI, and urges organizations to reassess their security architectures to stay ahead of emerging threats.  All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want to be a guest on Business of Tech: Daily 10-Minute IT Services Insights? Send Dave Sobel a message on PodMatch, here: https://www.podmatch.com/hostdetailpreview/businessoftech Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessof.tech

In today's episode of the Daily Windup, we dive into the world of government contracts and how startups can navigate this complex landscape. Our speakers discuss the importance of FedRAMP certification and how it can open doors for small businesses. They share valuable advice on building a track record and finding the right niche to deliver value to government agencies. Our guest, an experienced entrepreneur, shares the story of how they secured their first government contract and the valuable lessons they learned along the way. From dealing with pricing challenges to overcoming the initial hurdles of being a new player in the market, this episode provides invaluable insights for startups seeking to make their mark in the government space. So, tune in to learn from the experiences of seasoned entrepreneurs and discover the keys to success when it comes to breaking into government contracts. Brought to you by alchemy gov - When Connections Matter Most.

IT leaders in regulated industries know the pain of navigating outdated, slow procurement systems – especially when critical missions depend on modern tools. In this episode, Bryana Tucci, Lead of the AWS Marketplace for the US Intelligence Community, shares how government agencies are overcoming legacy procurement bottlenecks to access cutting-edge software, AI tools, and cloud services faster and more securely.Listeners will gain insight into:Why traditional government procurement can take up to two years – and how that's changing.How air-gapped environments complicate innovation and what's being done about it.How generative AI is reshaping national security workflows.What kinds of tech companies are best positioned to succeed in the public sector.This episode is a must-listen for IT leaders interested in procurement innovation, cloud adoption in secure environments, and where AI fits into the future of public sector IT. Enjoy!Key Moments00:00 Meet Bryana Tucci, AWS06:58 The Pain Point: Procurement Then vs. Now11:31 Unique Challenges in Public Sector Tech15:55 The Long Road to Selling in Government19:23 Vetting and Onboarding Sellers (how to meet federal standards)23:49 Government + AI: A Game-Changer30:34 Cost Efficiency, Saving Time, and the Future of Procurement41:46 What's Next for AWS Marketplace ---Produced by the team at Mission.org and brought to you by Brightspot.

Welcome to a new episode of The Daily Windup! Today, I had the pleasure of speaking with Yolanda Clark, CEO of Powder River Industries, a small business that has successfully navigated the world of defense contracts and specialized in DevSecOps and infrastructure as code services. Yolanda shared her journey of bringing stability to her business by establishing headquarters in Wyoming while her spouse serves in the military. In our conversation, Yolanda explained the intricacies of DevSecOps, clarifying that it involves coding within secure environments, ensuring software compliance with cyber requirements from day one. We also discussed the differences between FedRAMP and their services, with Yolanda highlighting how they provide support at a specific point within the lifecycle for their defense customers. Listen now to learn more!