Welcome to episode zero of the Reckless Compliance podcast, brought to you by Ignyte Assurance Platform, where we discover the unintended consequences of compliance. I am your host, Max Aulakh.
In this inaugural episode, we cover the following topics:
Max Aulakh Bio:
Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.
Max Aulakh on LinkedIn
Ignyte Assurance Platform Website
Episode Highlights:
Max’s Promise:
If you genuinely ask a question, I will personally get back to you or bring on a top-notch leader on the show who can answer it!
Topics of Interest that We Will Cover in our Future Episodes
00:00:03
Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance brought to you by Ignyteplatform.com. If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, Dysastics, SAP SARS, or newer terms like Cato, Big Bang, Oscall, and SBOMs, we’ll break it down all one by one. And now, here’s the show.
00:00:50
Hello everyone, thank you for tuning in to Episode Zero of Reckless Compliance, where we get to learn and explore unintended consequences of compliance. I’m your host, Max Aulakh. I’m a prior Air Force guy. I’ve been in security for more than 20 years, I started in trusted computing, then over to application security, and then I started doing accreditation and risk management work all the way back from DIACAP to now RMF.
00:01:17
So the goal of this podcast is to really help our industry professionals get some insight. When I have a question, I usually pick up the phone and call a few friends, do a bunch of Google searches, and then of course read policy and things like that. What I’ve never seen out there is anybody covering the conversations that I’m having, and of course the conversations that others are having. So I believe that in order to help our industry, we need to not only spread the knowledge, but we need to also freely share it. So I haven’t seen a single podcast that covers these kinds of issues, and really the goal is to provide a format for you that’s semi-formal and it’s geared towards specific topics where we can go deep into those topics. You’re actually learning. You can reference those for your knowledge. And of course, I will continuously update it as we learn more things. I may even reference some of my old topics. Maybe they’ve been updated, some guidance have been updated. And of course, all the information is well researched, well thought out, as well as referenced.
00:02:28
So what are the topics we’re going to cover? We want to take apart every single aspect of federal cyber compliance from multiple angles. So if you’re working on classified side, and then all of a sudden you have to do unclasswork, or if the other way around, or if you’re working in the commercial sector, but now you’ve got a government job and you’re not quite sure how to take your knowledge in PCI, GDPR, HIPAA, whatever cybersecurity legislative framework you’re dealing with, and or have dealt with, and now how do you apply that to, you know, let’s say in the DoD, you have to do STIG compliance, right? So there’s a lot of gaps in our industry. These are some of the topics we’ll cover and we’ll get to the fundamentals as well. Like what is a SCAP tool, right? If you are an AO or somebody who reports to an AO, you’ve got to manage a lot of different packages and it’s not just in a single tool, how do you actually manage those things independent of tooling? We’ll cover all the RAMP programs, things like FedRAMP, StateRAMP, TaxRAMP and all variations of RMF. Everything from ICD, Intelligence Community Directives, to regular old RMF that the commercial side uses and then of course different permutations and variations at each different agency. So really the goal here is to teach, share deep insight for accreditation professional,s or for those that are looking to get their product into the market and they just have some basic questions, right? Like how do I get started? Or how do I answer this control? So those are some of the topics we’re going to cover.
00:04:15
So my current plan is to release two episodes every month, but as I start to field more questions, the frequency may pick up, but really the minimal you should expect is two episodes every month. And here’s what I can promise you. So about five to seven years ago, I was teaching courses for application security, threat modeling, and one of them was also around RMF. I actually published that course online. There’s parts of it still left on YouTube, where I’m talking about how to form a boundary. Over the years, that course has been viewed 20 to 30,000 times and every year I get about seven to eight students that reach back out to me and they have questions. So what I can promise you is that it doesn’t matter if you’re a student or a professional, I will always make it a point to reach out to you and answer every single question that you have. That’s a promise I’m going to keep. If you genuinely ask a question, right, it’s my job to either answer the question or or bring a top notch leader directly onto the show who can answer it. So that’s my promise to you.
00:05:27
And you should definitely listen in if you’ve been listening and just kind of paying attention to what’s happening with all administrations. It doesn’t matter who is in the White House. Cyber security risk management is a bipartisan issue. So we’ve got new guidance that’s coming out about software bill of material, supply chain risk management, and the condition of our country just seems to be getting worse, right? So we have new rules. We have better rules, supposedly, but we’re seeing the opposite effect when it comes to accreditation work. What we’re seeing is that a lot of innovation is being blocked. So if you really care for improving how we do work in this country, accreditation professionals and risk management professionals are a big part of that. A lot of times we get pointed at as people who are the naysayers, right? So if you really care for improving your work environment and ultimately leading to a more innovative kind of country where we have all of these products not only on the commercial side but also on the government side you should listen in.
00:06:42
So the topics are going to be well researched about a policy and it’s not necessarily about how do we interpret this policy but it’s really about how others are applying it in their environment. That’s usually the missing piece, right? We know that everything we do, you know, not everything is black and white, right? You can’t just answer these things in a yes or no format. So we want to provide here is what our other professionals doing. I talk to over a hundred professionals every month on various issues of RMF and sometimes I wish those conversations were captured somewhere and the goal here is to bring light to those conversations. How are other people solving some of these challenges that we all deal with.
00:07:31
So I want you to subscribe, of course, rate this podcast and others. I want you to share with somebody that you know. Veterans that are getting into the market, software development professionals, DevSecOps folks that are always asking, hey, I’ve done my vulnerability scans, but what else do I need to do? It’s important for all of us to collectively learn together. So I want you to share this. Feedback is always welcome on the topics you’d like to focus on. I’ve got a whole set of topics that I’m going to cover to begin with, but if you have feedback on how to improve this, that would be much appreciated. And lastly, I want to thank you for listening in to my very first episode zero. I’m happy to meet you all, and I will see you all next time.
00:08:17
Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com/reckless. You’ll find notes, links and additional content. Head over to iTunes to subscribe, rate and leave a review.