‹ All episodes

Reckless Compliance

CMMC and DIBCAC Audit Journey w/Anthony Fisic (CISO) from Battelle


Our guest today is Anthony Fisic, Chief Information Security Officer at Battelle, who conducts research and development, designs and manufactures products, and delivers critical services for government and commercial customers. This podcast episode focuses on federal compliance’s impact on defense industry businesses. Anthony shares his background in law enforcement and military service, highlighting the transferable skills and experiences that have prepared him for his role as CISO at Battelle.

  • The DIBCAC Audit Journey
    • General Process from CISO Perspective
    • Strategic Shifts internally
      • Preparing from a leadership perspective
      • How Anthony prepared his team
    • Impact on Team Members
      • Some challenges faced
    • CISOs looking to prepare
    • Thoughts on new rules (Rev 3 of NIST 800-171)
  • Key Takeaways

LinkedIn Bio

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website


Max 00:01 – 00:10

Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance brought to you by ignyteplatform.com. If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or, if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA Stigs, SAAB SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMs, we’ll break it down all one by one. And now, here’s the show. 


Hi, everyone. Welcome to Reckless Compliance, where we learn about unintended consequences of compliance. This is a leadership podcast. So, for those of you in the defense industry, what we typically cover are the latest developments when it comes to public sectors in the context of information security cyber compliance. Today, we have Anthony with us. But before I let him introduce himself, what we’re really gonna dive into today is this whole DBCAC, CMMC ball of wax and how that is impacting the defense industrial base. A lot of people have done a lot of self-assessment and a lot of work, but there are only a few leaders who have actually gone through a joint surveillance program. And that’s important because it’s gonna give us insight into how to prepare for these assessments when it comes to an actual audit. So with that, without further ado, I want to introduce Anthony. Anthony’s a good friend of mine. Anthony, for those who are not familiar with you, tell us a little bit about your background. I know you served; we both served, but tell us your journey and what you’re doing at Battelle. 


Anthony Fisic 01:51 – 03:08

Well, great. I appreciate that. Max, I really appreciate you having me on. My name’s Anthony Fisic. My journey has been quite long and, you know, I would say that quite diverse. You know, I’m an Ohio guy, born and bred, and I really started my journey working and joining the military and the law enforcement function. And one of the things I realized as I was moving up the ranks, you know, was kind of the correlation to, you know, there are a lot of law enforcement intelligence and other backgrounds that are, heck, even from a music perspective and math perspective that are quite successful in a cybersecurity field. And as I evolved and grew up within the service, there were tremendous opportunities to explore those pathways and, you know, kind of capture some of the passions of my youth, where it started on the Oregon trail and eventually moving into, you know, senior law enforcement position and commanding overseas and in Afghanistan. And eventually. Deputy CISO of a large DOD organization and making friends like you, Max, and others in the business, like Joel, to help that transition out of the service. And after the service, I moved to several public companies. And I eventually ended up, because I grew up the mission, the mission superior, and getting back to my roots of service, becoming the CISO at Battelle. 


Max Aulakh 03:08 – 04:12

That’s awesome, Anthony. I know a lot of chief security officers; they share a similar background. It’s like they’ll take the intel guys and the MPs and that’s military police and the air force. We have SF, security forces, not special forces. And a lot of those guys end up in this chief security officer role. I know, like. with the CSO of Great American Insurance and TikTok, man, they all have a very similar background. And I think it serves well, especially when it comes to dealing with the public sector. It’s just some nuance and weirdness to it. So I think a lot of people are afraid of working with the government because of this new regulation, right? We’ve got the whole FedRAMP thing, but that was for large CSPs. I know you had some experience in achieving that successfully, but there are a lot of smaller businesses that are like Man we gotta do this whole CMMC thing, so kind of tell us openl that can of worms for us what was it like when you got to Battelle, and then all the sudden you know you found out you were with this I think this was one of your first tasks right to take care of this is. 


Anthony Fisic 04:12 – 05:26

Yeah, so one of the first tasks, I was fortunate where Batelle as an organization, has been working towards complying and meeting security best practices and contractural requirements through FARS. So I was really blessed to join the organization and then as a team and as an organization where this was fully embraced and already accepted as part of the business, as far back as 2017 when these rules were first implemented, right? And I think since then, clearly, it’s evolved. And one of the evolutions on the business side is to stay up in line with those and ensure that we operate according to those rules. And at the end of the day, whether you’re in this business and at CMMC or others or FedRAMP or PCI, it’s all about diligence. And I think, especially in this business, it’s about doing the right thing, even if it’s not entirely clear. So, as I said, very fortunate to be where the business case is understood. Compliance is often a business driver, but security isn’t. And I think at this organization, everything’s merged. And it really makes it a little less daunting to accomplish these tasks when everybody’s aligned, and there’s a firm direction from the top down. 


Max Aulakh 05:26 – 05:57

Yeah, I think, Anthony, you know, Battelle, you can’t separate Battelle from defense, right? They’ve been at it for 50-plus years. So I could imagine that they’re well versed in at least some of the requirements. But I think a lot of people understand that security doesn’t equal compliance and vice versa. But from your perspective, right, when you first landed at Battelle, what was the journey like, right? What went through your mind when you got that email or that call from the DIBCAC team, right? What were you thinking? 


Anthony Fisic 05:57 – 07:07

Wow. This is going to be interesting, right? So, the journey itself for the DIBCAC call was, it’s pretty significant, right? So clearly, this is where these things were in flight and culturally, you know, showing up there, the organization was prepared. I think as you work through these things and you’re the leaders in these industries, it’s difficult to find, you know, from a compliance perspective, you look at controls, what’s a good medium, right? Yeah. Everybody’s security is not compliance. Right. Are you doing too much? Are you doing too little? We’re still meeting the intent of the control. So I think as I joined, I was able to add some perspective to the team, help shed some light on those as we continued on that for, you know, the journey of preparing in the ever-changing and shifting timelines of CMMC, DBCAC equivalency, potentially trying to make sure we set the conditions for success and As I said, as a nascent or newer process, just like Sarbanes-Oxley in a few days, we don’t know what’s expected and making sure we’re doing the right thing from a diligence and compliance perspective, protecting the government. 


Max Aulakh 07:08 – 07:43

And I think that’s a really hard position to be in because usually the government, you know, they lay out everything. Like everything is spec’d out, right? You have controls that are extra verbose. You got these whole things, the STIGS and, you know, here’s the settings. And CMMC seems to kind of flip that model where there’s very little context. and the chief security officers are kind of left up to guessing on how to interpret this. Did you find that challenging? How did you guys manage those kinds of nuances when there isn’t that verbose of language? 


Anthony Fisic 07:43 – 08:52

Right. And I think that’s that balancing act. We have a very robust and competent internal audit function that really helps us as that third party, essentially, that independent third party, to really help measure what’s right. And then we look at it from a contextual risk perspective of how deep do we go investment-wise and others. So I think at this particular organization, we were really well positioned. We’ve been doing it for a long time, and this is just the next iteration. So I understand the challenges coming from an organization that did FedRAMP for the first time and many other global certifications, whether it’s ISO or things Finding that middle ground is not always hard, but I think, as I said, the team and the organization was incredibly ready for this. It’s just finding that right comfort level so that we felt going into that audit with the DBCAC, we’d be in a good spot. And, you know, that involves external partners, different validations, right? Because we don’t, as an industry leader, we don’t want to miss the bar on this. We want to set the standard for everybody else. 


Max Aulakh 08:53 – 09:30

Yeah, yeah, you’re absolutely right. There are very few that have actually gone through this, so I can completely understand. Let’s talk about some potential strategic shifts that you may have encountered internally. So this whole notion of what is reasonable, what is the right balance, man, that’s really hard to figure out. But what were some of the things you had to prepare the leadership on, right? Because this is not just your cookie-cutter compliance play. This is the government coming to audit the industry, How did you prepare your leadership, CIO, CEO, and others as this thing was about to take off and happen? 


Anthony Fisic 09:30 – 10:27

Right. And as I mentioned, very fortunate with members of, you know, everybody’s been versed in the government regulations and they come from a DevCon background. But I think as we, from a programmatic and business perspective, start to look at these, these are new costs, right? Where, you know, particularly GAO or government accounting procedures have not caught up, you know, to How are these requirements of contracts? You know, it’s not formalized officially. So, working through those costing models, understanding they will fit as these ultimately, at some point will impact our rates, right? So trying to work through that as a business complete IT organization to understand costs for these enclaves that we’ve developed or secure environments so we can appropriately capture the costs and then potentially as part of the accounting rules and moving forward. You know, attributed them to our rates and or not impacting our clients. I think that’s the biggest point. 


Max Aulakh 10:27 – 10:57

Yeah, I think you bring up a really good point, right? So many times we get caught up in, of course, there’s a stress of audit, and then there’s these controls and all of these things. I think a big portion of this is cost accounting, managing the bottom line properly, because this is all new work caused by the government. Were there any surprises, like as you went through this, whether it’s from a cost perspective or technical perspective for your team that you guys weren’t aware of, and it was a brand new kind of thing that was brought as you went through the audit? 


Anthony Fisic 10:57 – 12:16

I think from a security perspective, there weren’t any novel or lights-on moments. It was really, once again, making sure we could apply these controls in the appropriate manner in these enclaves or uncertain parts of the environment so we could protect this data. And I think one of the hardest parts we’ve encountered is data in and out. You know, what is this process to make sure you’re putting in, dirty or clean buckets we call them, what’s going in, what can come out? And then, you know, the approach of using a virtual desktop to really segregate and isolate these environments, working not only with the constraints of that, whether it’s software development or others. And reading your book now, Industrial DevOps, and I hope to read Joel’s book later, just trying to get a perspective on, sure, there’s compliance in our CMMC, but there are some hard problems out there still when you try to integrate the physical and virtual from a software development perspective, and the complexity of AI in those as well, trying to make sure those stay secure environment so that’s an ever-changing evolving solution set that we’re working through but that’s everybody’s issue as well. As the government matures, we look more at AI. I think these are things that are going to be enduring, and everybody’s looking for the next best way to do that through process integrations while maintaining the integrity of these systems that have to 


Max Aulakh 12:17 – 13:09

Yeah, I think, Anthony, there’s a lot of people that are going to learn from your experience, but also organizations like Battelle that are going through this because, you know, imagine there’s like 100,000 plus 600,000 small businesses and they’re all, many of them are manufacturing shops. So they’re not dealing with traditional IT; they’re dealing with operational IT, some of the things that you guys have. And back in our days in the military, we called it platform IT, right? Those kinds of systems. But I think how that model applies to compliance in general, compliance usually breaks apart, right? So, I’m very interested in figuring out how the government is going to change, and build specialized models, especially for some of those enclaves and special systems. Now, did they go into those areas where it was more at a corporate level? How far deep did they reach just to kind of inspect where you guys are at? 


Anthony Fisic 13:09 – 14:33

Right. So, from a level one perspective, that is not something they looked at. Right. And if you speak to small business, really, I think primarily that’s where most are going to operate. within the level one, those 17 basic controls. And I think it may seem ominous, but really those are diligence, and there’s a lot of equivalencies with other things from a business process or security perspective that would meet those. But from a CMC, CMMC level two perspective and level three, not that we’ve taken that journey yet, it’s really appropriately scoping your environment. So that’s the key, just whether it’s PCI or this, make sure you understand your enclave. And the approach we took was to, you know, develop this enclave that was secure and compliant with the rules. And that’s how we approach it because if you were to do all of Battelle or all of any other organization, it’s cost-prohibitive, and it defeats the purpose, right? It’s like having a flat network. Nobody likes that. So the idea is, although there are many secure enclaves that meet these standards in different ways. We approached it through, okay, this is something we want to take a holistic management approach on. This is the new, new, and we’re going to build something that’s compliant and move systems into there that require this compliance. And then those are the challenges of software development, moving, supporting tools in there, you know, whether it’s SDLC or other things to ensure that they’re encapsulated or they are shared service across these, but they’re isolated. 


Max Aulakh 14:34 – 14:59

I love it when you said this is the new new, right? Cause, as you mentioned, the first, you know, level one is just basic hygiene, but a lot of small businesses are unaware of it. And you said you guys went for a level two, really, and you’re not really positioning for level three yet, but knowing Battelle, right? Battelle and similar organizations all operate in the classified space. I would imagine some of those things would eventually make it down to you guys, depending on the business model and whatnot. 


Anthony Fisic 14:59 – 15:24

Right. And I think a lot of that, to your point, would be driven by the government and where they’re coming from. It may be easier just to throw those in segregated skiffs that we already have. So I think really it’s the, as an organization and as a business, we’re really relying on the government’s approach. Most of the things we do are within level two and anything beyond that. We have certain sensitive areas throughout the United States that we could work through those. 


Max Aulakh 15:24 – 16:07

Sure. Yeah, absolutely. So let’s talk about any kind of mental kind of stressors that were caused by this, right? So, as a leader, of course, you have to manage up and external stakeholders and your team. A lot of times when we’re working with the chief security officers, their team is under high stress, man. Right? So, what was that like for your team, and how did you guys pull together? Were there any kind of lessons learned from that, especially when they’re interfacing with an external party, the DIBCAC auditors, right? And what we’ve gone through, they kind of split everybody up in different rooms and whatnot. So what was it like as your team managed this stress for you? 


Anthony Fisic 16:07 – 18:06

Right. So I think what we did was we made sure everybody was in the same room. Oh, really? As the audit occurred, it was a virtual audit. So we made sure that the security governance manager, the infrastructure leads, and everybody we needed to answer certain controls were in the room. So, in taking a step back from a perspective of high stress, you know, everybody’s trying to do the right thing, and communications can break down. That’s why it’s important to have somebody in the room. And, you know, those are friction points, but that’s the clarity of you speak to this. And then as we talk to, you know, not necessarily associated with the government control design, roles and responsibilities, attestation and expectations. And sure, all those shake out on the SSP, but whether it’s IA or a business partner, infrastructure or app dev or security, or you pick it, or network, we all have to work well together. And I think that my role in that was being a smoothing, calming, everybody’s doing the right thing, let’s find the right answer. And I think in high-stress environments, teams tend to send an email, and then it’s back and forth a week later. And we play this email tag. As I said, getting in the same room and talking to people is the most, I found in this situation and many others, the most effective way to defuse that. Because if you’re looking somebody in the face in a high-stress environment, it’s not you versus me or me versus them, which it’s hard to get through on emails, texts, or virtually. Sitting in the room with somebody breaks down those barriers, and you collaborate. So I think that’s the lesson. Whether it’s this or others, high stress environments, people need to sit next to each other. Bill, and even prior to that, as an organization, you know, and I think that’s once again, we’re fortunate, lots of tenured staff, lots of good relationships and friendships, even, even that was still a stressful enough environment. We saw some of these things happen, and they getting them in the same room, communicating same language. We’re in this together versus tossing things over the fence. 


Max Aulakh 18:06 – 18:57

I think that’s a key takeaway. Anthony, that’s a great point because so many times, we can look at the auditor as kind of the enemy, right? If you can actually collaborate, because we all know our industry has challenges, and that’s why these new legislations are coming out. And if the person is intelligent across from you or sitting next to you, they’re going to want to empathize and work with you through some of those challenges. But Anthony, on that note, Before you had the auditors, whether it was, you said, virtual, did you guys have to do any kind of preparation? So for chief security officers that have not gone through this, what kind of prep, whether it’s a pep talk or, Hey, you covered these controls, a division of labor, how did you prepare your team so that others that are listening, they can have the chance to do the same kind of thing. You know, when, when they have been notified, Hey, we’re coming on site virtually or in person. 


Anthony Fisic 18:58 – 21:21

Right. And just at a high level. So once again, emphasizing strong leadership in the team and partnership. Right. And I did, I was not here from inception, but stepping into this, I think it’s once again, it’s simple things earn dividends, right? Good operations are good security, good program or project management. It’s making sure everything’s clear, making sure there’s an open dialogue. Right. And then prepping, you know, we went through pre-audit engagements. We understood. If person X knew exactly what they were doing but had shortfalls explaining something, we made sure people were trained, and then we had backing support for them in those meetings or sessions with the auditors. I may say the DIBCAC auditors were extremely professional, and we engaged this as a professional courtesy engagement. We’re honored to be part of this. And I think part of that camaraderie and mutual respect really pays off in these. It’s, it shouldn’t be out of a cereal. We’re completely open. And at the end of this, from an audit partnership and an organizational partnership, you’ve got the result. And being contentious of those is self-defeating on both ends. So, as we approach this as an organization, we’re very open. We’re all trying to figure out what right looks like. And if we have to just on the fly, we will. And from a DBCAC perspective, they approached it with the same open intellectual honesty where we’re all trying to get to point Z, but it’s a process they have to learn. You know, and we were fortunate to where they understood potentially they weren’t the experts in, you know, topic X, Y, or Z, and they brought in additional experts, which was really helpful, you know, to see a government organization pulling other outside governmental entities to help or other experts on their team. The audit team we worked was staffed with ex-federal CIOs or, you know, consulting ex-CIOs or leaders or auditors. So it was a very professional, cordial environment and engagement. And that really helped us work through any perceived issues or disconnects. And at the end of it, we achieved a perfect score, 110 out of 110. So extremely happy with the DBCAC process, the engagement team we had from, you know, DBCAC on down, everybody was super engaged and cared about the end product, not let me check my block and get out of here. So I think that’s something that teams can look forward to. It’s an interview process that everybody cares about, and we’re all working towards the same goal. 


Max Aulakh 21:21 – 22:17

That’s awesome. Now, I know the Joint Surveillance is a voluntary program, so it’s great. It sounded like your organization, before you even got there, had embraced this idea of let’s get them to help us, which is fantastic. And another key point you mentioned is you had a pre-audit engagement, which helped prep the team. Right at which kind of help most likely alleviates some of these stressors, which is amazing now when it comes to the dead cat, and I know we talked about earlier the balance did you find any areas that? Others should be aware of where there was unreasonableness, whether it’s on one side or the other right where you guys perhaps over-engineered an environment that wasn’t the requirement and that’s not what they’re looking for. Or where the DBCAC side is where they don’t really understand your business and they’re asking for things that are not reasonable. Is there any light you can shed on any of those areas that may have come up? 


Anthony Fisic 22:17 – 23:18

I can’t point to any specific area, but I think largely our conversations were on ensuring that the dirty bucket clean bucket were truly isolated, you know, and making sure those function appropriately. And that’s a lot of the deep conversation. And I’m not going to specify which technology, but if we were to use a cloud provider, you know, making sure they have the depth of knowledge. And even within cloud providers, there are some limitations that prevent, you know, certain controls from being met in that way. So you just have, and it applies across the DIBCAC and anybody in this business. So what a lot of these conversations are, what is vendor X or, or CSP Y going to do to help this? And then taking that away or, you know, implementing a control on your end to mitigate that. So it doesn’t lay on the CSP, it’s something you solve internally. So a lot of it was interactive, open feedback, but I think most of our time was spent on the dirty clean aspect of this, ensuring the confidentiality and protection of that data on both ends. 


Max Aulakh 23:18 – 24:13

That makes sense, yeah. I think it’s easier to critique than to create these technology environments, right? As an auditor myself, it’s easier for me to say, hey, you need two-factor here; you need CUI management here. But I may have no idea what the actual technical landscape is. So it’s very easy to say the burden of proof is on you. And it sounded like they were really being collaborative, which is awesome. So not naming any vendors, but are there any other gotcha controls you can think of? The requirement itself that we’re like, man, that’s a stickler requirement. And if you’re a chief security officer, you’re going to volunteer for this. Make sure you pay attention to this from you know, whether it’s a simple technology perspective or awareness and training. Are there any things that you recall, Anthony, that were like, man, I wish we would have done a little bit better here, or, you know, they didn’t really dive into this area? And this is where we put a lot of our effort. Can you provide any context from that perspective? 


Anthony Fisic 24:13 – 24:59

I think overall, they’re very, very thorough. But one of the I think I’d ask people to pay attention to is that interaction with that virtual environment through that virtual desktop if you choose that path. maintaining and understanding controls around there and being really well-versed in how you can explain that to the auditors. And they were open and they brought in a cloud person that would understand this. So I think that’s very involved, very caring. And if they didn’t know it didn’t impress me or prove it to me, it’s we’ll get somebody that can talk to the language and help us interpret this. At this point, I think there have only been 20 or so organizations that have been through this process. So it’s a learning curve for everyone. and you just have to open it and be open to suggestions and work with them to try to find the right answer. 


Max Aulakh 24:59 – 25:27

That makes sense, Anthony. Yeah. I mean, they don’t even have enough sample size, right? 20 organizations. And so I could imagine, but I think the key is they were thorough. You had a team. So it’s important for us not to just look at it as a paperwork exercise because look, when you get a group of 20 professionals or 10 professionals, we can all kind of look at each other and say, okay, I see the paper, but you know, let’s get to the meat of it so we can bring some value and meaning to the work that we’re doing. Right. So. 


Anthony Fisic 25:27 – 26:17

Right. They are in the systems looking. There is no, there isn’t a paper drill. I mean, I’m sure you’ve seen an audit, like, Hey, show me a screenshot of this. Now it shows me in that environment, in that structure of AD or whatever you’re using that this is restricted or these, how you log this or that, those outputs. It’s very involved. But once again, if you do that work up front, and that’s just your business process and expectation, that’s where all these things feed, right? It’s these are the right things for many reasons. And the government has begun to; it’s always been a requirement. They’re beginning their approach to audit that framework. And you always want to be in a good position from a compliance or security perspective and a diligence perspective, just to make sure you’re maybe overdoing, underdoing it, but just making sure you’re right in that zone of excellence. So you don’t have any issues no matter what happens. 


Max Aulakh 26:17 – 26:59

Anthony, man, I don’t think the world is ready for that, to be honest. I mean, how many times we have done an audit, and it’s like, here, take my SSP and a million of my paperwork, but what you’re saying is, they look at that, but then they say, show me the environment, login, and actually look at what you’re doing. That’s very rare, right? I mean, we don’t typically see that in the audits, and I think that’s a nuance for the audit world in itself unless you’re dealing with the classified systems, but when it comes to unclassified stuff, I think that’s a new kind of an approach to validation, right? And we’ve been talking about it, but yeah, that’s pretty, pretty, it’s good, but it’s also, I think it’s going to change the way we do audit in general. 


Anthony Fisic 26:59 – 27:24

Right. You know, if you think from a SOX, SOX 404 perspective, those externals are looking in there too. I mean, it’s much the same, and I wasn’t part of every audit or every control look-through, but the ones I was aware of, it was, show me this, show me that. No, in a system, right? And let me look at those rules, right? As they bring in a cloud expert, show me this in cloud environment A, right, to make sure these things line up with the policy in the picture. 


Max Aulakh 27:24 – 27:55

And man, I think that’s really key. Having the right experts there that’s great. So, Anthony, we’re coming up on the tail end of this. So, I’ve got a couple more questions for you. So, any thoughts on, you know, there’s this whole new revision on NIST level two or revision two to revision three? How’s your organization managing that? As you were going through this, were you guys already future-proofing to that? Or is this something that you’re waiting for the government to finish out and then start to shift your environment? towards the new release of NIST? 


Anthony Fisic 27:55 – 29:56

So we’re always working through and anticipating changes. But part of the strategic approach to this was, you know, the goal is seeking equivalency with level two and its current state and then being grandfathered into level three. Right. So, as we approach this, clearly, there’s no rule formalized yet. You know, it’s a voluntary assessment. But the approach going in there was we’ve prepared since day one for this, and we need to get credit for it. Right. We’ve done a lot of work. Our approach was this, this is the only viable option at the moment for us to get credit for all the work we’ve done. And then the hope is of the risk calculation we made was this will transition into, you know, a three-year, you know, CMMC level two equivalency, but on the research, we would catch up on level three. Right. So we’ve tried to build some timeline here because you can only hold, you know, hold the gas pedal down and the brakes on it for so long. And those tires wear out. So we wanted to get this moving and operational with, you know, as an industry leader to, to show the way forward and start moving workloads in there to this newer enclave to make sure we’re compliant, no matter when it happens. And if we have to adjust and evolve, that’s just a matter of course, but we are trying to buy that time in there. And by no means does that mean we won’t implement earlier, but it’s just an organ, a buffer from that requirement. So. we’re not running headlong into a wall or if three rotates, you know, it goes to four by the time three comes out or whatever these things are. We want to be ready at the current standard right now as an installation and future-proofing to some degree of those changes. As you saw, that backlog with the DIBCAC, once that was kind of an established method, grew immediately. At first, it was like, hey, you can do it in a week, and then it’s three weeks, and then it was like eight months, right? So we were in a sweet spot there, I think in June when we did it, last June here, of 23 to really get it done. And we decided to execute and lock in our win with the potential of extending that further down the road. 


Max Aulakh 29:56 – 30:27

I think it’s such a great strategic move, Anthony because it not only saves you from all of the certification nightmares that’s going to happen with the three PAOs and C3PAOs, which, of course, we’re getting through right now. But would you recommend to other chief security officers out there who are listening that they should volunteer for this? And if they should volunteer for it, What are some key takeaways that they should be prepared with if they’re going to do this joint surveillance journey in order to kind of strategically position their organization in the leadership spot? 


Anthony Fisic 30:27 – 31:29

I would say proceed very carefully. It’s been, when we went through it and where we’re at in the process, it’s going to get very muddy moving forward. So at least we, from a Battelle, in my perspective, we’ve locked in, right? So somebody could be in the process of waiting for this, and it shifts again, right? I think timing is super important and every organization, based on their size, complexity, you know, depends on how fast they can get through this. I’m in the audits for about a week-long, maybe work day, seven work days. But that’s kind of, I think, you know, I’ll take that back. It was three full days and then follow-up and close out at the end of the week with some overlap. But I think that’s the key. Every organization has to look at this from a risk perspective. And I would say even now, especially with revision three coming out in these long wait times. which you can back out of; I would say just be very careful. I can’t give a firm yes or no because right now, the path is very muddy on 3.0, and then the ruling, you know, I don’t want to say a mess, but it’s very unclear at the moment. 


Max Aulakh 31:29 – 31:52

So what you’re saying is what we don’t want to do is the, it’s kind of the traditional move of, well, I’ll get auditors to come in to build a business case for security. You don’t want the government to be coming in to build a business case for security because there’s a lot of uncertainty. And for those who are considering, I think the key takeaway from Anthony is that the organization has been preparing for a long time. 


Anthony Fisic 31:52 – 32:36

Right. You’re not going to start at zero right now. I mean, you should have potentially started a little early. These things have been out for a long time. This is just formalizing those. And we chose a different strategic approach to put it in an enclave, you know, and kind of work through that because it would just be too big. And maybe not everybody has that problem, but these are just formalizing those. Make sure they’re lined up in an SSP. Maybe they were loose before, but really tightening your shock groups up to make sure that you can attest to these, you know, the external audit, right? You may have been doing the right thing all along, but The way controls are written is super important, and that evidence is super important. So a lot of that is now that it’s formal or going to be formalized is really the highlights that we went through versus true novel compliance efforts. 


Max Aulakh 32:36 – 32:58

Yep. Yep. Don’t tell me, show me. Right. Don’t tell me, show me. Well, with that, Anthony, man, I just want to thank you for coming on this show. I know there are a lot of people out there that are listening, and they want perspective. So I just wanted to thank you for this, and man, I’d love to have you back on. Are there any parting thoughts any key takeaways that you’d like to add? 


Anthony Fisic 32:58 – 34:06

No, first, I’d just like to thank you for having me here. I really appreciate you taking the time and talk to me about this subject. And I think just overall, from a compliance perspective, a security perspective, this is a breaking point or a changing point. And whether it’s AI or supplier side security for the government, wars going on around the world, and a cybersecurity focus, I think it’s, let’s keep our heads up, our eyes out and really try to avoid a lot of this through, if possible, making security just part of your process. This is what you do. So when these things rotate, you can operate from the mentality of or evolve. These things are really a control is a control is a control. I’m just aligning it to something else, but we’re always doing the right thing. From a CISO perspective, we’ve all heard about solar winds in the SEC or the new form requirements to report breaches or even as far back as Uber. We want to make sure we’re being transparent and open, and have the right processes in place to enable compliance through security versus the other way around. 


Max Aulakh 34:06 – 34:10

I think that’s a topic for another episode. Anthony, thank you so much. 


Anthony Fisic 34:10 – 34:13

I appreciate it, man. Thank you very much. 


Max 34:13 – 34:23

Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com/reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review. 


Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More