‹ All episodes

Reckless Compliance

U.S. vs European Operation Public Sector Cyber Compliance with Joseph Keenan – CISO Airbus


In this episode, we explore how global entities can serve the US and European governments. Joseph Keenan, Global Head of Security and CISO at Airbus OneWeb breaks down some challenges and provides insight into managing CMMC, Security strategy, FedRAMP while selling Commercial Off-the-shelf products into the defense market . This episode focuses on the stressors of an international company in the age of CMMC as well as dives into the differences between the US and European operations that he is experiencing in his current role.

Topics we discuss:

  • What is it like to manage US public sector compliance when your organization is distributed?
  • Stressors of an international company in the age of CMMC
  • How do you manage GDPR?
  • What are the notable differences between the US and European Operations?

Max Aulakh Bio:

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website


Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance, brought to you by ignyteplatform.com If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA, STIGS, SAAB, SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMS, we’ll break it down all one by one.And now, here’s the show. 


Max Aulakh: [ 00:00:47 ]

Hello everyone. Thank you for this episode of Reckless Compliance, where we learn about unintended consequences of compliance in public sector. Today, we’re going to be talking to the Chief Security Officer of Airbus. The big question, what we want to understand is what it’s like to manage compliance when you have to deal with European laws, and then all of a sudden you have to deal with the U.S. public laws like CMMC and others. So without further ado, Joseph, tell us a little bit about yourself, but also for those that are not familiar with Airbus, tell us a mission of your company. And what do you guys do at Airbus? 


Joseph Keenan: [ 00:01:26 ]

Hey, Max, I appreciate this opportunity. Hey, so, here at Airbus OneWeb Satellites, we are the next leading competitor to Starlink program. Really kind of penetrating into that, , low Earth orbit satellite manufacturing. Where we, here, are really kind of coming to the cutting edge of bringing car manufacturing to the satellite business, right?  That’s how we were able to, through the OneWeb Gen 1, provide 650 satellites out throughout the last couple years. And try to really saturate the market. So part of our business strategy is part of airbus lineup satellites.  We are a joint venture between Airbus, us is one side of the house, which is part of the Airbus group And then one web. So we really have a good mix between the bigger Airbus group with all the backgrounds from us. And then the ISP side of the house is providing services across the different vendors with one web.  So really, one of the biggest things that we’re doing here is kind of penetrating these new markets leveraging these parent companies into their specialized areas with Airbus us in the US market. With now within the SDA and then one web is are penetrating to into their own  commercial markets and really this kind of goes hand in hand with my background Um previous to here I served 17 years in the U.S. military coming out of conventional worked a little bit of time in special operations and then to intelligence community to really have a heavy understanding of Security not from the concept that most people have I have it from a completely outside of the realm understanding of security Risk and compliance and that’s really where I get to grow in here after coming out of the military, got into Cisco, worked at Cisco for about a year and then I took this opportunity really as they’re getting ready to penetrate into these U.S. markets to kind of bring my skills and leverage where we want to go in the future. 


Max Aulakh: [ 00:03:06 ]

That’s awesome. So when you use words like SDA, that’s Space Development Agency, those kinds of outfits and then of course your background. Now, what did you do, Joseph, in the, in the military for those that are listening in?

What was your, you were in the army, what was your MOS? 


Joseph Keenan: [ 00:03:20 ]

So, believe it or not, I’m now into the cyber side, but I grew up as an infantryman. 

was a grunt on the ground, grew up throughout the surges of Iraq, going into Afghanistan. Started getting into a little bit of times within the special operations community. Went to go be a ranger instructor, got times running actual large organizations and getting into security from there. So that’s where I’d say I don’t really come from the IT kind of cyber side background that most people think. I come from a holistic view of security where I can really bring it in. That I acquired over time in the military. 


Max Aulakh: [ 00:03:49 ]

Hey, that’s, that’s awesome, man. Well, thank you for your service. Myself, I got to spend about four years in the Middle East and, you know, a lot of that stuff overlaps with a lot of the work we do. And I think those of you who are listening, I was an MP security forces guy, right? So a lot of times when you’re learning about these concepts of how to protect an organization, especially when you’re dealing with military equipment, a lot of that carries over into technology. So, man, that totally makes sense. And it’s  awesome to see prior guys running the chief security officer kind of gig at organizations like Airbus. So one of the things that I think a lot of our listeners are always curious about is You know, it’s one thing to be part of military and selling to the military, then it’s a whole another thing to do the same thing overseas. You know, managing the defense within the Europe side of the house. So what’s that like when it comes to just compliance or risk management and security? What is that like? And how does that impact your organization, your security organization? 


Joseph Keenan: [ 00:04:49 ]

Really your first and foremost, I mean, it’s a completely different shift in mindset coming from the U S markets into these international commercial, and then maybe future state, these international defense markets. There’s a big kind of spread, but at the same time, whenever you pull back the layers of it. It’s all the same it all goes back to just basic security At risk practices when we get those right compliance is just an afterthought you’re already doing it compliance is Always there by design when you’re actually executing from the security side So when we look into the french side of my side of the house where we come from We look into the gdpr Well, what does that really kind of consider when we think about this from the u.s side and some of our privacy laws? We look into the nis 853 and the pi controls you start pulling back There’s a lot of reciprocity, a lot of stuff that we already know that really exists Now we just have to curate it up to a specific way. So how I leverage this out is really kind of building out that global security by design, trying to understand our, what do we need to do at the foundational best practices level? And then how do we scale it to make sure that we’re doing and meeting our compliance obligations from our continuous monitoring strategy? How do we have surveillance? 

How are we doing our. Risk management, vendor assessments, where we look into our data’s going, what’s our security posture at overall. It’s just really grounding it out to the best practices and that’s where leveraging it from CMMC. Now, as the div is starting to penetrate into this side, when we look at that, a lot of that is just the best practices. Now, yeah, whenever we get into media protection controls, we talk about marking dissemination controls. It gets a little bit iffy, but it’s no difference than how we handle IP data in terms of an organization. We don’t want to get that lost. We don’t want it exfiltrated. We want to handle it the right way and classify it so we know what to do with it. 


Max Aulakh: [ 00:06:27 ]

Yeah. Yeah. 


Joseph Keenan: [ 00:06:28 ]

So, it’s all back to a best practice in my mind, how to handle these.


Max Aulakh: [ 00:06:30 ]

I think that’s really what it comes down to is, is just. Applying a holistic view across the board and then handling some of those oddball nuances, whether it’s FIPS compliance or whatever for, you know, this side versus that side. And you also mentioned about the French side of the house, just out of curiosity, are you, are you dealing with other countries as well? Because the way I understand the GDPR rule works is that they have the EU GDPR, but then each state or each country has their own version of it. So how many countries are you guys operating in? 


Joseph Keenan: [ 00:07:02 ]

For us, it is just specifically within the French side. So we have our French entity, which is Airbus OneWebSatellites, SAS, all they fall underneath is the EU GDPR. So from us and those articles and conventions I mean, the privacy laws that are around there, they are very impactful to us. So that’s where we have to be very careful of what we’re doing. But whenever we start penetrating into. Some of these future markets now we are obliged. We have to handle to what those customers are in the future, whether it’s the UK side of the house with GDPR or any specific country.


Max Aulakh: [ 00:07:33 ]



Joseph Keenan: [ 00:07:34 ]

Oh yeah. I remember our general counsel talking to yours, right. With when we’re starting to work together in terms of the jurisdiction control of the identities and things like that. 

So I could only imagine.


 Max Aulakh: [ 00:07:33 ]

So what about like, I think the other big thing is. You know, as a leader, you could see the common pattern between the two, whether it’s Europe or U.S. And then, of course, you got this CMMC thing smack dab in the middle. What about the talent pool, right? A lot of chief security officers right now are grabbing up ISSMs, ISSOs, the security managers and the officers. What’s that been like for managing both sides? Have you been able to find the talent or, , you know, internal training? Speak to me about talent management concerns when you’re trying to manage multiple regs. 


Joseph Keenan: [ 00:08:19 ]

So I think that’s one of the biggest concerns. A lot of us are facing right now is we talk about that. There’s a shortage. There’s no shortage. It’s just the talent that understands kind of what’s going on and what’s out there. We get into these regulated markets. 

That’s where the gap is. So it’s one of those. Whenever I go and look into growing my French side of the house within the S. A. S. What do they need to be? What type of skill sets do I need? Especially as I look at building a global organization between I need an assurance capability there for the local requirements, but also need to build out a global security operations teams to handle the cyber requirements.


And then same thing here on the US side I need to have my assurance teams doing all my IA activities from my ISSM, ISSO here locally. There is, there’s that talent gap.I mean, it’s hard as I was looking into getting an information assurance vulnerability manager, people that understand the different aspects and scope of what need to come down, what are the activities that we need to handle. They might be able to say, oh yeah, I can set up a security tool, I can do this, I can do this, but then okay. How do we do this in the most compliant fashion way and then how we make sure that we’re maintaining this in terms of our continuous monitoring strategy overall i think that’s where a lot of the talent shortage comes from people don’t never done that’s one thing where we look at you what do we source talent from is the people that did i hate to say that we’re coming out the military kind of dead. Us that due diligence we’ve learned from where most security practices now, whether it’s on the corporate security side is it’s coming out of the military. It’s here’s the basic foundational practices of what’s expected. So, I mean, for me, it’s honestly, it’s trying to find three different networks, finding good talent that’s out there, people that are hungry for the next job. But some of it is just training, finding that one person that they might not have the skills yet, but they’re hungry enough that they will get it. 

Now they just need a little bit extra attention and love, but they want to get there. 

So, just, I love it, 


Max Aulakh: [ 00:10:00 ]

you know, because it’s all about, you know, you said attention and love, but it’s all about investing in people because ours too, right? It’s, you can find a cadre of people, but then especially as it applies to your business model, it’s going to change. Right, so they gotta be, they gotta be willing to learn and, and everything like that. But, but Joseph, there’s a lot of people that are motivated, right?  The, the job market is shifting with, with all the things that are happening with artificial intelligence and whatnot. For those that are not familiar, could you give some specific examples of what are the differences between the two markets that you see that are radically different?  If somebody is thinking about, you know, getting into that business and they have to deal with Europe, what are some of the key things that you’re like, man, this is definitely different than dealing with the CMMC rule?


Joseph Keenan: [ 00:10:46 ]

I think a lot of it’s just coming into the frameworks, not so much the tools and technology. It’s just understanding what your compliance requirements are from GDPR, understanding about data protection. Laws when we look at the Nissa about classification of data, how that’s protected, I think it’s just it’s that’s where the skill sets kind of differentiates between across the pond with Atlantic is it’s understanding the need where the requirements that we have to satisfy that. How do we do that? I think the technology, it’s a standard kind of approach across the board. This is understanding. What to look for, what the needs are. But I think really the talent pool shortage comes into us. What do people understand about these two different areas? What are the requirements to be able to comply with them? And that’s where I think the defense industrial base right now on the U S side, it’s kind of pretty much hindered. Not a lot of people understand how. CMMC works. Whenever you look back to the NARA rule, where does it really come from? DoDMs, DoDIs, it comes from the 5200. 48, 5200. 01, Volume 4. I mean, you get back to that source of truth and it’s people that understand those basic level requirements.


Max Aulakh: [ 00:11:45 ]

Wow, man. There’s not that many people that can, that can recite these DoD instructions, right? Or at least know the rules. But that’s, you’re right, that a lot of it, even the training requirements, right? It comes from The whatever, , man I don’t even remember, right. The, DOD requirements for security plus CISSP and all that, 


Joseph Keenan: [ 00:12:07 ]

all that, 85, 70’s for the IAT IAM


Max Aulakh: [ 00:12:11 ]

That’s right. So I would imagine people who understand that some of that skill is, is transferable. But, but a lot of times, yeah, with the GDPR and the European side, it’s just really what you’re saying is really understanding the requirement and then applying a lot of the technology and the tools that go with it.


Joseph Keenan: [ 00:12:27 ]

I don’t even say it’s the technology tools. It’s the processes. And I say this, everybody gets so wrapped up in technology and tools. They forget what we used to do when there was none of that. It’s the processes that just supports us. They don’t understand what are the requirements out of it. Same thing I see here on the U.S. side. People get so wrapped up in the tools to make our job easier and they forget the processes and the people behind it. If you don’t have that, technology means nothing. 


Max Aulakh: [ 00:12:48 ]

Yeah, no, it’s the old adage, right? People process tech. 100%, man. I think learning core processes, actually building them, right? How one process may be different than the other. So, Joseph, this whole CMMC thing, the bubble that’s been going on, have you guys been impacted by it? Like, what’s the impact to Airbus and how are you guys managing that today? 


Joseph Keenan: [ 00:13:10 ]

I mean, that’s one of the biggest things is I came into this and started looking into is, , within our different us government obligations, one of them is within, , the default 70, 12 within a federal contract information for CMMC level one, looking into CMMC level two. I mean, we have that data getting flown down into us as part of our deliverables to the customer. And it is impacted as we look at changes, people don’t even understand how to look at this. They understand how to, how the rulemaking process works out or even how to vet it. So why methodology with this is how to handle it. Let’s get back to the source of truth. One seven one is just an overlay to the 853. I understand the 853 and you can understand the one to one detailer, it understand your requirements that we, no matter where once everyone ever shifts. You always have a baseline to go off and just map it directly. It’s the best thing I think you can do. And that’s how I’m trying to manage our approach to this one. Cause then it allows me reciprocity. If we start getting into these other systems, I can now map it to CSI 1253. I can do so much more with, and I can show my benchmarks where I am. And it’s the best way. The cross to include to ISO 27, 001 international framework. 


Max Aulakh: [ 00:14:16 ]

Yeah I think a lot of folks that haven’t been where you are, Joseph, when they hear things like CNSSI 1253 or RMF or 853, they kind of feel lost. You know, they’re like, I’ve never done that. I’ve never seen that. Right. So for leaders that are trying to manage this, let’s say there’s a chief security officer that’s sitting on the European side of the house. And all the sudden they’ve got tech that’s going to be brought into the defense industrial base and they have no idea. They’ve got no background, right? What’s a good place where they could actually start to implement some of this? Because for people who have done RMF and worked with the agencies like Space Development Agency, they understand, like, I mean, they get it, right? It’s just like, if you’re in the business, you get it. But for those who haven’t, right, that are especially from overseas, Because a lot of the teams are splitting out, a lot of your CUI might be splitting out across the pond, there’s no prohibition on that. What’s a good starting point for some of these individuals who are leaders, right, who are just looking for, on how to make progress?


Joseph Keenan: [ 00:15:22 ]

I think the best thing that leaders can do today is benchmark yourself. Even if you know that you’re not getting CUI’d now. But you want to start penetrating those markets and you make yourself viable to this, benchmark yourself, understand the requirements, see where your organization is now, come up with a plan, have it in your back pocket and drive it as value to show if we come from here to this level, doesn’t mean we’re going to receive CMMC, but it’s now a value so we can bid on these contracts, especially now with the new rules that are being made,  I’m not going to be able to bid on contracts until I can show that my SPUR score is You can already have that in your back pocket. So immediately a contract comes up, you’re already there. We’ll be even to be able to get there. What does it take that knowledge? They need to pull back the layers of the NARA rule, figure out where that comes from and understand what is CUI. Max, let me ask you this. How many people have you talked to when you, you start talking about CUI and you start talking about the background, how many of them kind of get lost and over their head with it and you’re like, all right, what do you mean with this and this, you start talking about like FCI and be like, okay, how do you map it to what’s an SPA or a security protection asset based on a CUI asset, based on a contractor risk manage asset. And then what does that mean? What’s an out of scope asset? And then they’re like, all right, what are you talking about here? I was like, okay, let’s get back to the foundations of just security practices here. 


Max Aulakh: [ 00:16:32 ]

Yeah, I talk to a lot of people and, , you know, that’s the purpose of this podcast is to educate and if there was enough education out there, we don’t need to do this, right? But there’s a lot of massive amount of confusion out there. I know there’s a couple of guys out there, Jacob Horne and few others. They do a pretty good job of trying to educate the masses. But man, quite frankly, there’s just not enough, especially downstream suppliers, right, so people who are, who are essentially supplying Airbus and others, like your organization, I think that’s where a lot of education gets lost and they’re not able to, you know, they’re not able to translate a lot of this stuff on how it fits their environment. At least that’s what I’ve seen. Joseph, how about you? Like for your supply chain, right? Do you guys work with a quite a bit of a smaller organizations or, or mainly larger organizations? 


Joseph Keenan: [ 00:17:22 ]

We work with a ton of different ones from large ones all the way down to just small mom and pop shops. Yup. So, I mean, this is something I’m in the middle of right now is actually assessing our supply chain. As we’re looking into and assessing them, because we know that right now they’re not getting CY, but we have to benchmark them to say, all right, if we’re going to buy some point in time, get contracts that are going to require us to flow it down to you. 

What does that impact to you? What’s that going to require of you? That way I can say you’re here. Let me get you up to here. What’s that cost going to look like? What’s that going to be?  So we can make sure that you’re ready.  Because a lot of them, they don’t even have good security programs in place right now that could feed us. What’s your baseline?  What do you map to? And then we start talking about, federal contractor permission, FCI from CMMC level one or CUI, and it goes right over their head, especially internationally. They don’t understand it. They just see these big lists of requirements in the framework. And the first thing I get is that deer in the headlight. And then it’s like, Oh, what’s going on? Like, it’s okay. Let’s talk about this. 

We can make this simple. It just takes time and that’s something I’m in the middle of right now. 


Max Aulakh: [ 00:18:20 ]

Yeah, that’s awesome. Yeah, and, and I think that’s the, that’s the challenge of the defense industrial base. You’ve got hundreds of thousands of smaller suppliers that are working with these primes. And I think, , some of your partners and, and also even customers are actually our customers, and they’re larger customers, they’re facing the same challenge, exact same challenge. A lot of the big guys, they can hire, they can recruit, they can find people like, , yourself and others, but a lot of the smaller organizations, so Joseph. The question you asked me about, does one know what CUI is or FCI is and the types of assets. It’s just, , from my experience, most smaller organizations, they don’t know what they’re, what they’re doing. 

And then the other thing is there’s just massive amount of confusion. You know, there’s just this, the new rule is out, the proposed rule, 200 pages long, and  I think there’s a lot of new language being introduced in there. And of course I wrote a blog about it and everything, but, but it’s still, I mean, I still have a lot of questions, right. In terms of there’s a ton of questions, right? 


Joseph Keenan: [ 00:19:24 ]

So it is. And I hate to say this. I think it’s almost a disservice for how we did the CMMC rules from how we tailored it from 853. We convoluted it by creating multiple ones across the board. There’s so much, I think that’s, that’s what impacts. Yeah. Defense industrial base that makes it confusing. What do I do with this? They see that there’s a control here. Well, within that control is also two or three hidden controls and processes that are expected. And it’s not clearly defined. Same thing when they see an organizational defined parameters, like, Oh, well, what’s my minimum requirement here?


Max Aulakh: [ 00:20:09 ]

Yeah. What’s your policy state? Well, I don’t know any of this. Okay. Where do you start at?

How about pull back the FedRAMP stuff? Cause it’s already mandated out there in the ODPs or the J SIG. That’s a good starting point too, for organizations that don’t understand. A lot of those already have the ODPs defined for them to help them out. Yeah, I think you definitely have a leg up, especially working with some of these classified programs and CSPs where you can see that. Now, now Joseph for, have you, have you guys had an interaction with the, the joint surveillance, the DBCAC, those kinds of things? Have you guys thought about doing those things or, or is that not really within your plans?


Joseph Keenan: [ 00:20:28 ]

So it was, that was one of my goals this last year towards a Q3, Q4. But as we’re going through a major transformation and developing a system out here, I had to kind of shuffle my priorities around. So that’s what’s one of my biggest plans, , early in Q2, hopefully no later than Q3 this year. Okay. Going through that joint surveillance. That way we can get a team here to assess us. That way as we sit here and we say, this is where I think I am. I want a neutral third party come in and tell me where I’m really at, where are we good at, where are we bad at. Give me the black eye. So I know whenever this really comes in further. Where do I need to go? 


Max Aulakh: [ 00:21:00 ]

Yeah I’ve had a lot of interesting conversations with different, similar people, , to your profile where they’re either starting the process or they’re like done. Yeah. So, I think for our audience, it’s always interesting because you and I both worked in the government, right? There’s always, well, you want consistency, but there’s always inconsistency with some of these qualitative standards and whatnot. So. Man, when you go through it, we’d love to have you on and, and, , you know, share some lessons learned and, and things like that. So, Joseph, for, for those that are listening and, , you know, trying to understand if any of this information, you know, impacts the European operations, right? So, the main intent of this was to try to understand how you can apply CMMC and those kinds of things into Europe, , side of the house. 

Can you speak to, like, Your boundary or or just your organization structure how have you organize your team so you can manage a little bit of both the us compliance side but also the the french side of the house and and maybe even how that impacts the overall airbus side of the house.


Joseph Keenan: [ 00:22:08 ]

Yes so as i came into this role i mean that’s one of the first things i look at it was. 

Our last audit findings kind of where we’re at getting ahead of that one, but also looking into Like you said, how do we manage the compliance aspects of this? II looked into Everybody likes to look at cyber security is one small silo  That is an operational aspect.I broke it down across. What does it really mean to me? So I look at my operational teams from actual cyber operations physical operations. I have engineering within it I broke it down through the risk and compliance teams that way now I have a true assurance activities to maintain My system level and that’s where I looked at my global teams on my left side And then my assurance activities are my specific that each business unit I have an iso that’s there to manage the security program, which has compliance baked into it I found that’s been one of the most successful ways because i’m able to leverage teams across all the organizations To keep our footprint as minimal as possible, to slim our technology stack down as small as possible, alleviate some of the burdens of our processes. That’s one of the best things I can say I think that organizations need to do is just find out how to integrate throughout where you can break silos and where you need to maintain them. 


Max Aulakh: [ 00:23:12 ]

Yep, and I think that’s what we see quite a bit, is that when there’s too much tech, there’s complexity. It’s almost like you’re, it’s hard to get certified when you have all this, for lack of a better word, crap that you don’t need in your boundary. 


Joseph Keenan: [ 00:23:27 ]

I mean, here’s the question. How many people even understand what their boundary looks like? Or even when we talk about CUI and the CMMC programs and all that, their data flows to understand where they’re hosting. It’s a very open topic. I think that a lot of people have concerns around for their authorization boundaries.


Max Aulakh: [ 00:23:40 ]

I think so too i think that is one of the most challenging things that we’re seeing out there specially when it comes to just understanding how cots products get combined and built into this capability that you’re delivering to the military lot of this might be coming from overseas. But at the end of the day, it’s still a COTS unit. And where’s that clean cutoff of CUI, you know, it’s a really difficult analysis. We’ve tried doing it, but we haven’t been that successful yet. 


Joseph Keenan: [ 00:24:10 ]

And that’s one thing that we did here is actually came up with the plan of how to do that. And that’s where from our original  satellite lines. We built out to keep that as a true cost product that way it maintains the flexibility and viability of the product and then as it goes to transformation at some point it triggers over into an enclaved environment as it gets handed over to our parent and that’s when it goes through the major transformation. But it’s us there being with the parent company to help them through that see why journey as the ones operating on their behalf 


Max Aulakh: [ 00:24:40 ]

that’s very interesting man i’d love to learn more about that because. I think there are so many businesses today, so many chief security officers that are in this position of, I don’t understand how much money we make from the public sector and how much money we make from the compliance or the commercial operations. Where’s the split? Where’s the CUI? Being transformed into CUI. And I think the answer, at least my hypothesis, Joseph, is what we learned in the military about how to declassify information, potentially, right? It’s a little bit of that, but then it’s also, , classifying it properly, calling COTS if it is COTS, because if not, everything becomes European side, as well as the US side, everything becomes This giant amoeba and this giant boundary. That’s very difficult to control.  


Joseph Keenan: [ 00:25:28 ]

No. And that’s actually one of the things that I’m fighting off right now is as we get these new requirements that are flowing in, I look at where specific, , CTI impact that product where that has to occur. Some of that might have to come into from our European side in our R and D, which then we have to push back and back. That can’t happen there. It’s like, why  that’s not going to compromise that system? Cause what was now a enterprise commercial system is now CY CY is being transformed into it through the code analysis. And it’s, there’s so many different levels that people don’t understand as we’re getting things down into it. What are the impacts and be able to defend your position to be like, no, this can’t happen if this is what you actually want from us, here’s the impacts and here’s probably going to be the costs


Max Aulakh: [ 00:26:08 ]

Exactly. Exactly. And I think for software companies, it might be a little bit easier, but for hardware companies, I can’t imagine, right? You’ve got this separate R and D commercial capability. That’s always been there. And all of a sudden you’re transforming it. And now it’s under these new rules and it could be like detrimental and cost prohibitive. 


Joseph Keenan: [ 00:26:28 ]

Oh yeah. And I, I think, like I said, that’s another one of those. It’s just, it’s hard for organizations to understand it.


Max Aulakh: [ 00:26:33 ]

Yeah. Yeah, it is. Do you have a separate council in the European side that helps you kind of manage the localized concerns or have you guys centralized the general council function that can take a look at both the public sector US and then, and then the European side of the house? 


Joseph Keenan: [ 00:26:51 ]

So with us, I mean, we have our enterprise general council that’s here out of our, , parents and then for each local, we have our. General counsel in their export control teams, but here on the U.S. I we really are the ones that handle everything from the U.S. Compliance aspect of it. I mean, that’s. Well, we’re here for, and then the consultant advised to our parent company, Airbus us, who’s really the one that’s going through the major transformation as we sell them the COTS product, and then we help them take that product from a COTS side of the house through transformation.


Max Aulakh: [ 00:21:27 ]

That’s awesome. That’s awesome. 

You’re the first one to say that takes the COTS product and take it through transformation. 

And I think that is so applicable to some of the manufacturers. And some of the hardware builders out there with code, you can write, okay, we can write code in a way that can serve both sides. And it, have it be efficient, but I think with COTS, man, we’ve got to really understand what are the actual commercial items, , so you can charge for those SKUs, you can protect those SKUs, the intellectual property of those, and this is a big topic that nobody’s actually talking about when it comes to CMMC, I’m a little bit surprised of that, man, to be honest, because I think this is what really business people care for, they want to understand ,what is a COTS product and, , you know, how they can resell it across the board, even in different regions in different countries. 


Joseph Keenan: [ 00:28:13 ]

And that’s what I think we’re trying to penetrate here is keeping our base product is always a COTS product that way from us as whether we sell that, or we take it through transformation through the different. Contractual requirements that’s on us, but nothing impacts the base level, which doesn’t impact anything we’re doing. If it is, then we look at this. What’s the best way ahead. Okay. Let’s give it to the customer and then let’s help them take it through the rest of the way. Let’s be that subject matter expert that they need and rely on. 


Max Aulakh: [ 00:28:39 ]

That makes sense. Well, man, I don’t want to pry and ask more questions. I’d love to. But at some point, I think we would love to do another podcast on just defining COTS declassification. This one was really about understanding the cross border concerns and what happens within the Atlantic. But any parting tips, any advice for chief security officers, Joseph, that are going to be dealing with this kind of concern, especially manufacturers, large manufacturers? 


Joseph Keenan: [ 00:29:05 ]

I think the biggest one is just. I mean, understand your value whenever we get into CMMC, you’re getting ready to penetrate into the U.S. defense industrial base. Understand your value. Understand what you’re selling for. Stick to your guns. Be like, Hey, this is what the cost is going to be. Here’s the impact. Show it. Be that subject matter expert. Show them A, we do this, it’s going to be the value to the organization. And then hold those senior leaders accountable to help you guys get there because it’s your job to take them through that organizational transformation that needs. 


Max Aulakh: [ 00:29:33 ]

Awesome, Joseph. Well, man, again, I appreciate your friendship and thank you so much for coming on. 



Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com/reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.

Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More