In this episode of the Reckless Compliance podcast, Max is joined by the CTO of Valid Eval, who shares the journey of achieving FedRAMP Ready status and securing an IATO from NASA. From early career work on advanced defense systems to building a SaaS platform that streamlines proposal evaluation for government agencies, this episode dives deep into the realities of navigating federal compliance. The conversation highlights strategic investments in Kubernetes and open-source frameworks, lessons learned from choosing the right FedRAMP path, and why owning your own ATO can be a game-changer for growth in the federal space. You’ll also hear insights into how and why Valid Eval chose Ignyte as their audit partner.
Discussion Topics:
Max Aulakh Bio:
Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.
Connect with Max:
LinkedIn: Max Aulakh
Website: Ignyte Assurance Platform
Connect with the Guest:
LinkedIn: Jacob Ablowitz
[00:00:00] Max Aulakh: Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance brought to you by ignyteplatform.com. If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or, if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA Stigs, SAAB SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMs, we’ll break it down all one by one. And now, here’s the show.
[00:00:44] Max Aulakh: Hello everyone. My name is Max Aulakh, and today we are going to talk about something really exciting. One of our customers, Valid Eval. They just achieved their FedRAMP Ready. We’re gonna talk to Jacob Ablowitz, who’s the CTO of Valid Eval. So, without further ado, Jacob, let’s start with this.
[00:01:07] Max Aulakh: Tell me a little bit about your background and then I wanna know about Valid Eval. ’cause you guys do some pretty exciting stuff for the government. Take it away, man.
[00:01:15] Jacob Ablowitz: How you doing Max? Good to see you again.
[00:01:17] Max Aulakh: Yeah, good to see you too, man. Thank you, by the way, for being on here with me.
[00:01:21] Jacob Ablowitz: Yeah, no problem. It’s nice to be able to talk about something that was, not an easy achievement. So you asked about my background. I have a pretty weird background. I graduated from college in 2002, right after the first internet bubble burst. And, I thought I was gonna go be a startup guy.
[00:01:38] Jacob Ablowitz: And that time was like it is right now in a little way. Where, coming right out of college, right after the internet bubble burst, it was sporty out there. So over a year after I graduated, I ended up moving out to San Francisco. So I grew up in Boulder, Colorado, and went to CU for undergraduate.
[00:01:56] Jacob Ablowitz: And so I moved out to Silicon Valley, thinking I was gonna hook up a startup job. Over a year later I ended up working at Lockheed Martin in Sunnyvale, working on what is to this day the coolest technology I’ve ever seen. It was a program called Airborne Laser where they put a megawatt class heat energy laser in the back of a 747, and it was for boost phase missile defense.
[00:02:16] Jacob Ablowitz: And my very first job out of college was a test engineer on that thing, and they managed to pull that off with like mid nineties era, like sun Solaris boxes. And Wind River realtime systems and like digital Alphas, like before Compact bought digital. That’s how old that stuff was, and it worked like it did work.
[00:02:38] Jacob Ablowitz: They managed to shoot down a test article. Of course it had some limitations. And they ended up turning it first into an R&D program and then eventually retiring it. And it’s been scrapped, but the technology that they figured out for that, and a lot of the people ended up working on Helios.
[00:02:54] Jacob Ablowitz: Which now looks like it’s gonna go onto navy destroyers, which, with advances in solid state heat energy lasers, I think, we’re in a different place than we were then. And the marginal cut of the shot is effectively zero. That’s a big deal, especially for drone defense. But anyway, like I said, that was my introduction to the military and government and working with the federal environment and so forth.
[00:03:17] Jacob Ablowitz: After a couple years in Sunnyvale, as you can see behind me, I’m really into music and audio. I’ve been playing drums for 35 years and I noodle around on guitar and I like to work on amps and have a work bench and all that stuff. But I was really into audio and so I ended up taking an opportunity to move to the Manassas, Virginia area to work with the Submarine Sonar Group.
[00:03:39] Jacob Ablowitz: And so I spent another six years out there. That’s where I ended up, transitioning program management. And after eight years my wife’s career took us to New York City and I felt like that was a good time to leave the defense business, which was an adventure. Ended up working at this crazy hedge fund called Bridgewater Associates for about a year and a half.
[00:04:00] Jacob Ablowitz: That’s Ray Dalio’s firm. If you’ve heard of him, he’s really active on LinkedIn. A year and a half there felt about as long as eight years at Lockheed Martin. It was a heck of an adventure. The principles are a thing, if you look into the things that Dahlia posts. But, after a year and a half there, I was ready to try my hand at a startup, and so I moved back here to Denver.
[00:04:21] Jacob Ablowitz: And, I got myself situated and founded a startup, called Data Markets, our concept was to be like a commodities exchange or an eBay style open marketplace for buying and selling data products with the concept being like, Hey, how can we do price discovery? And that was a big idea.
[00:04:39] Jacob Ablowitz: learned a lot about being a startup guy. And after five years of grinding, I finally accepted it. It wasn’t gonna happen. I’m not the right guy to raise the money to pull that idea off. And I think the time has passed for various reasons. But, then Adam Wrencher, CEO of Valid Eval was my next-door office neighbor, in a coworking space from like 2017.
[00:05:02] Jacob Ablowitz: In fact. I had helped him with a little bit of technical consulting on the side. I had been working with some graph database stuff for data markets, and then Valid Eval had a natural interest in structuring its data using a graph database or a knowledge graph style approach for a bunch of good reasons.
[00:05:23] Jacob Ablowitz: And so I naturally fell into helping him with some consulting on that. And towards the end of 2018, that was when AF works was really early on with their open topic concept for SBIRs you go back to that timeframe. The idea of the government posting, Hey, show us what you got.
[00:05:43] Jacob Ablowitz: If we like it, we might buy it. New at that point, like that wasn’t a thing. And I had heard a little bit about that through my residual Lockheed based network. Adam heard about it, and the acquisition selection process was something that, I had seen back in my Lockheed days, was a real challenge for the government in a bunch of different ways.
[00:06:04] Jacob Ablowitz: And. I even actually tried to start a side business with a grad school classmate back in 2009, building something analogous, but Valid Eval was, and is much, much better than what we came up with back in that time. And so when AFWERX posted their open topic, Adam asked me, if I’d be willing to help him write a proposal, and say what you will about Lockheed Martin, they are very good at writing proposals.
[00:06:28] Max Aulakh: Oh yeah, proposals. Yeah. They got a machine, right? They got a, they got the meat stack for the proposal writing.
[00:06:33] Jacob Ablowitz: So been there, done that, bought the t-shirt. I learned from them the best. And I was able to help Adam write a proposal that fits into the way government folks receive and interpret and understand proposals and, I understood requirements, traceability and things like that to be able to.
[00:06:50] Jacob Ablowitz: To make it readable and understandable, we managed to win a phase one in the 18.3 cycle. So right at the end of 2018. Turned that into a phase two in March of 2019. And, it’s funny, the Air Force ended up feeling because of legal issues, like they couldn’t use our system because of CUI issues and information security.
[00:07:15] Max Aulakh: I wanna ask something just ’cause I think this is really important. So for those that don’t know, what does Valid Eval do? What’s the mission of it? Because I think when you said, Hey, the Air Force didn’t want to use it, my thought goes to. It’s because you guys are solving the problem that they’re trying to address when it comes to proposal management, right?
[00:07:35] Max Aulakh: So I don’t understand everything about Valid Eval either, but help me understand, like for those that are listening, what do you guys offer?
[00:07:42] Jacob Ablowitz: Thank you. I, launched into my spiel without really How to ground that. So Valid Eval is an online SaaS platform used for group decision making in like high complexity, high stakes environments.
[00:07:58] Jacob Ablowitz: So everything we do starts with a predefined rubric that is derived from commander’s intent for the selection. Okay. And it guides a group of expert evaluators through a process of. Submitting their expert evaluations in subjective and objective terms, in ways that tie directly to the classic weighted average decision making process, but using a predefined framework that we actually encourage our customers to publish the decision-making rubric in the solicitation.
[00:08:33] Jacob Ablowitz: Say, listen, this right here is how you will be evaluated using the following explanations. There’s when our customers see fit to give. Feedback reports out of our system. There’s like a heat map where you can see the different opinions that the judges had from reading your proposal. And there are also settings that allow customers to share, like box plot style, performance outcomes, data where you can see, where you were relative to the pool of applicants.
[00:09:02] Jacob Ablowitz: You know our view now, six plus years later, we’ve processed over 150,000 expert evaluations of over 15,000 proposals across over 500 acquisition programs, both commercial and government, zero protests sustained in that time, and when we’ve had to respond to them, we’ve been able to assemble audit reports and narrative and an explanation in less than a day.
[00:09:32] Max Aulakh: Wow.
[00:09:33] Jacob Ablowitz: Or our Army customer in particular.
[00:09:35] Max Aulakh: So essentially this is so important, especially with AI, a lot of people are pushing proposals because of Chat GPT, and you guys can actually provide some sort of a defense mechanism to say, yeah, no, there’s no technical merit.
[00:09:50] Max Aulakh: This proposal worthless. And you can really help the government in that standpoint where they can fight a bid protest and keep the business moving, which is incredibly needed at this time.
[00:10:00] Jacob Ablowitz: So we believe that what we’re doing is a very government efficiency friendly concept.
[00:10:06] Jacob Ablowitz: Fundamentally, our view is that for years where nothing is greater than one. Humans are and will continue to need to be involved in the proposal down select process. We having looked very carefully at this, we don’t believe it’s likely that even with graph rag, retrieval, augmented generation and other techniques, even with those things, it’s unlikely that a predictive model, which LLMs all are, will be able to adequately intuit and look forward into the future to be able to say, the following selection criteria are likely to give us insight into how this company will perform if selected. So we’re actually looking very carefully at how we can build AI tools into more of a trusted copilot model. Augment the human intelligence, but fundamentally, the hundreds of experts at the Army Research Lab that are involved in evaluating proposals for the programs we support at the Army, they have decades of experience and insight that have been built up, and so our focus is to simplify and facilitate the process of taking that expert knowledge.
[00:11:25] Jacob Ablowitz: The opinions that they develop while reviewing proposal materials and quickly turn that into structured data against which now modern data science algorithms can be run. For example, bias correction algorithms, which is one of the key things we do to try and reduce interrater variability, as it were to use a technical term, right?
[00:11:47] Jacob Ablowitz: So that if you happen, get a judge that grades everybody low, but they’re not evaluating all of the proposals. They’re evaluating a small chunk and some other competitor gets a judge that rates everybody high. Like how our system comes up with recommended outcomes involves trying to compensate for that using what’s called an expectation maximization algorithm.
[00:12:10] Max Aulakh: That’s amazing. Jacob.
Jacob Ablowitz: Am I going a little too deep here?
Max Aulakh: It’s far beyond what I understand, but the terms you use sound pretty amazing. But no, in reality, I completely get it. It’s hard to replace human discernment, so you’re augmenting them, you’re helping them, make some of these decisions at a much faster rate, which is really what efficiency is all about.
[00:12:31] Max Aulakh: And yeah, it’s gonna be difficult to get rid of all of this experience that these evaluators have. Which kind of leads me to my next question, right? So these evaluators are putting, they’re receiving information, sensitive information from the companies themselves, and then of course the evaluation performance itself.
[00:12:49] Max Aulakh: I could imagine that some of this data can’t just be public. Obviously the evaluation itself can’t be public. So how did you guys come to the realization that FedRAMP is good for you, like this’ll be helpful. Was it the government pushing? Did you guys proactively realize it?
[00:13:06] Max Aulakh: How did you guys come to that realization and understanding that this could this could be helpful to your business?
[00:13:12] Jacob Ablowitz: We started talking about how the Air Force was reluctant to use our system. Really it was because of information security concerns related to CUI because they were looking at using our system for SBIRs, which are far acquisitions, right?
[00:13:26] Jacob Ablowitz: Federal acquisition driven. But Army had this problem with the Expeditionary technology search program or X Tech search, which is a prize competition, so it’s an OTA. And OTAs, don’t necessarily include so-called source selection information, right? Which means that CUI is a different thing. The other thing about Army is they were getting hundreds of proposals and they had hundreds of expert evaluators that they wanted to be able to spread across those proposals to perform a reasonable pool of evaluations.
[00:14:01] Jacob Ablowitz: But you can’t have every single reviewer read every single proposal in that environment. And you know how people have been doing this for decades is either paper forms or emailing around spreadsheets, which once you get to tens of competitors and tens of judges. Becomes a data management nightmare, much less hundreds.
[00:14:21] Jacob Ablowitz: You put that all together and that’s where we got our earliest traction was with the Army. And in going through that process of realizing that we were blocked from working with the Air Force because we didn’t have IL4. As we started to have other opportunities, like with the Department of Transportation where their SBIR program saw, like they sent some expert judges to X Tech search to be a part of some ground vehicles related evaluations, and the SBIR program manager saw our system and said, how can I get me some of that?
[00:14:50] Jacob Ablowitz: Which, that’s the best sales you can get is somebody seeing your tool, the product, oh, this really makes a positive impact. And so through that series of outcomes, we realized we’ve got to solve information security if we’re going to take the caps on our growth out of the picture.
[00:15:09] Jacob Ablowitz: And that was like 2019 and 2020. The first thing we did was we got onto AWS Gov Cloud as quickly as we could, made sure that we had some of the kind of table stakes stuff going there. And then, I could take you through a laundry list of different things we did over the years and, I won’t bore you or your audience with why we kept running into roadblocks other than to say one thing that’s very unique about our situation is that the sensitive information is sensitive until the decision is made.
[00:15:39] Jacob Ablowitz: Then it goes from being controlled, unclassified information into public information, or at least a subset. Because if you actually look at far, where it defines source selection information, it basically says, unless made public by effectively the source selection authority. That’s in DFAR 2.101.
[00:15:57] Jacob Ablowitz: And so that kind of, you can infer from there how you get to this point of it’s not classified, so it’s not a declassification event.
[00:16:05] Jacob Ablowitz: And what we’ve learned over the years is that there’s not a lot of people who go through a decontrol process of controlled unclassified.
[00:16:15] Max Aulakh: I think when we were going through, and I mean you hired us as your auditor and things like that. We couldn’t really consult, but one of the things that we had to get our heads wrapped around is that in order to really do this well, you gotta have general public companies.
[00:16:31] Max Aulakh: Any company interacts with a system that’s public facing, right? Or, without the same old CAC card requirements that you face in the DOD, you don’t have that side. But then you have people on the DOD side interacting with the same system, which is like really difficult to pull off. From a technical security standpoint, but that is something we had to get our heads wrapped around.
[00:16:54] Max Aulakh: ’cause as auditors, it’s not just for us, it’s not just a checkbox, it’s really about looking at material cyber risk by channeling that. Auditing against it. Yes, we can all look at SSPs and things like that, but I don’t think anybody becomes a cyber expert and says, Hey, when I grow up I wanna look at SSPs.
[00:17:12] Max Aulakh: That’s not their dream job. Some would believe, yeah, that’s what they wanna do, but I think it would be good for the audience to understand, because. Took a couple of months, it was like we try to rip off fast. It was pretty fast.
[00:17:30] Max Aulakh: We try to rip off the bandaid very fast, so it’s not long and arduous in order to get. We didn’t know you guys back then, but you guys had already started the journey, right? So for those that are not aware of that actually we’re not, ’cause we’ve actually never understood how you got to where you are.
[00:17:47] Max Aulakh: Help our audience understand what are some of the investments that you had to make in order to be even considered for FedRAMP. Because like you said, with your background at Lockheed and working with the government, you don’t just wake up one day and say, Hey, I want to do FedRAMP. So, what are some of those tough decisions, trade-offs that you and Adam had to go through in order to say, Hey, this is the path we’re going down.
[00:18:10] Jacob Ablowitz: So we, at one point, Army had actually sent money to Air Force for us to be hosted in Party Bus, if you’re familiar with that, which is one of the platform one entities. It was going great right up until they realized that we needed to cross that IL4 IL2 to what I call IL0,
[00:18:30] Jacob Ablowitz: the completely public solicitation information, for example, like crossing that boundary, and they said, yeah, we believe that it’s possible to do this compliantly, but we’re not set up for it. Sorry. Then we ended up exploring with an ATO as a service vendor that she’ll remain nameless per contractual obligations in that regard.
[00:18:52] Jacob Ablowitz: And we ran into similar challenges after some extensive investments and onboarding, and that was where we went from, you know, sort of a legacy virtual machines and virtual private servers kind of approach. Our first investments into getting our system into Kubernetes and fully containerized.
[00:19:13] Jacob Ablowitz: Which, that’s some technical jargon if people listening are not infrastructure whizzes. The simple version is that it’s a very complicated framework that is really good at letting you scale up and scale down. How much. Your system is able to handle it, which is great. We didn’t actually have that need or anywhere close to it from a technical or operational or like load or performance perspective.
[00:19:40] Jacob Ablowitz: . But what we saw along the way from watching, what the Air Force was doing with Party Bus and Platform One and Kessel run Big Bang. Like this is, we’re all containerizing. All containerized. It’s very like security forward, security first. Like they have thought a lot about how to organize these things in ways that are predisposition towards compliance with federal security mandates, right?
[00:20:09] Jacob Ablowitz: And whether you’re in DOD and the information levels framework and the C-C-S-R-G. Or you’re in civilian, with FedRAMP, at the end of the day it comes back to NIST 800-53 and those controls, right? Either way and so through that series of learnings where we got to was okay, we are going to bite the bullet and invest into containerizing and moving our system to Kubernetes, not because we needed the scalability or performance at that time.
[00:20:38] Jacob Ablowitz: Because we felt that it positioned us to be able to get through the auditing process faster when that would happen. It positioned us to show government colleagues things with which they were and are familiar, which, I have a whole philosophy of what I’ve learned about how to interact with government employees that we can go into later if you’re interested, but fundamentally it’s how do you make it easy for them to say yes.
[00:21:03] Jacob Ablowitz: How do you make saying Yes, perceived as if not the lower risk option than saying no, at least as close to similar risk.
[00:21:11] Max Aulakh: That makes sense, right?
[00:21:12] Jacob Ablowitz: And, this was a series of decisions and investments, and it was exorbitantly expensive for a tiny…
[00:21:18] Max Aulakh: It’s very expensive.
[00:21:19] Jacob Ablowitz: This is why we were using, for example, big Bang, and then recently, last year shifted to the unicorn delivery, SER service or UDS from Defense Unicorns, which, I know you’re aware of Max, but these are some very valued partners.
[00:21:36] Jacob Ablowitz: Their CEO and co-founder Rob Slaughter, he was the commanding officer of Platform One when we first came to go onto Party Bus. So, we had formed a relationship with him before he even started, Defense Unicorns. And so what’s great about UDS is it’s a lot like Big Bang, which we had already migrated onto Big Bang, some years ago, but it’s a lot more simplified and opinionated.
[00:21:59] Jacob Ablowitz: There’s way less different variations and ways of doing things. It’s much more of a like off a shelf cookbook. And for a tiny little company like ours, we do not want to roll our own Kubernetes installation. There’s like, again, if as a listener, if you’re not familiar with what I’m talking about. There are tens of different tools involved in getting a full Kubernetes installation, going with observability and networking and all the other things that go into the infrastructure layer.
[00:22:27] Jacob Ablowitz: And if you’re even a little bit technical, you might have heard of different flavors of Linux distributions like Ubuntu versus Red Hat, right? Well, Big Bang and UDS are kind of like flavors of Kubernetes where it’s all the different little pieces and tools and systems all bundled together into a single way of operating a comprehensive system.
[00:22:50] Jacob Ablowitz: So instead of having to build our own Linux distribution from the ground up, which is how most companies end up having to do Kubernetes, and partly what makes it so expensive, the only way we were able to do it was by using off-the-shelf frameworks where somebody else was doing that work to stitch these tools together and pre-configure them and then maintain the versioning and things like that.
[00:23:12] Max Aulakh: I wanna actually highlight this, Jacob, because I think we met with Rob as well. They were one of our great clients at some point. And, I do remember talking to them, they were doing a trade-off between bottle rockets and another Linux ding, right? So I agree they’ve done a pretty fantastic job of making that happen for a small business.
[00:23:31] Max Aulakh: But, I think a lot of companies are in your shoes like a couple of years ago. Right now I talk to so many people like the audit service itself is pretty cheap compared to all of this other work that you gotta do, right? Because how hard it is, it’s harder to critique or create than to critique, right?
[00:23:49] Max Aulakh: It’s easy to validate if something is already there. It’s harder to actually write the software and make it work. A lot of companies are actually in this trade-off battle right now of. What an ATO or whatever kind of software platform as a service software, what do we pick right now? And you’re one of the few that has tried two or more, right?
[00:24:11] Max Aulakh: Tried UDS and somebody else, right? And I think a lot of people know, right? A different options out there. But for those that are like confused or they’re not sure, like who to go with, why did you switch? What are the benefits of going with a UDS type of model or some people are like, forget that I’m gonna roll my own.
[00:24:30] Max Aulakh: I think that’s really important for those that are thinking about that. Because you could be good at Kubernetes, but it’s just more than just Kubernetes. There’s a lot to it, right? But if you can help summarize the trade off analysis that you did and why did you switch? Because most people don’t switch. They just get stuck and they’re like, ah, we don’t know how to switch.
[00:24:49] Jacob Ablowitz: I talked about how we got to Kubernetes in the first place, which was forming the perception that it was a path that we could go down that had huge long-term legs in the sense that these are CNCF and Linux Foundation-supported tools that are very much industry standard at this point.
[00:25:07] Jacob Ablowitz: And we had good reason to believe that they are a high longevity, right? And then yes, we switched, but we switched from one flavor of a Kubernetes stack to another very similar flavor of a Kubernetes stack and to Defense Unicorns, enormous credit. When we made that decision to switch to them from Big Bang, we started by running a technical spike with them to see if they could just get our system to run in their environment, in their flavor of Kubernetes. Like how big of a job was that? And they were able to get it working at a basic level and pass our end testing framework in a little over two weeks, which I mean it was, and of course, once we made the decision to run with them, and go from a technical spike into a real world thing, it wasn’t two weeks, it was, I think three months before we went into production.
[00:26:01] Jacob Ablowitz: Our FedRAMP US government is facing an instance, ’cause we have a multi-tenant government-only instance as distinct from another instance of our system where commercial customers go. Most of our business is federal at this point, because they’re the ones with the burning need for this type of distributed decision making.
[00:26:34] Max Aulakh: Yeah. I remember talking to Tom Clapper, who I think introduced us, and I think you guys were already working with UDS, but yeah, I think to put a finer point on my question is, not everybody has availability or not everybody has access to Big Bang. I know there’s an open-source version of it.
[00:26:18]Max Aulakh: It’s what we were using a lot of people, right? There’s an open source version of it, but then there’s also like providers of this service and they don’t know. And I think what’s really unique about what you guys have is, yes, you bought the service from UDS, but it’s also open source. It’s available completely.
[00:26:34] Max Aulakh: So if you learn it, you could run it. Now they’re a great service provider, so you kept using them and things like that, but I think that’s what people are struggling with. Do I go towards this open source model or do I get locked in and then I don’t know what to do?
[00:26:51] Max Aulakh: And this is really important, Jacob, because it makes the auditing 10 times harder. Depending on the choices that people make, audit and that’s why auditing gets expensive. But yeah, if you could talk through the trade-offs you made between that, because then, it’s easy to tell a story.
[00:27:19] Max Aulakh: Hey, we got you on the marketplace in two months. These are the choices that you made in order for us to actually accomplish that. ’cause if you didn’t, if you didn’t have that. Then we’re looking at six, nine months. How did you guys go through that switching process? What were some of the pros and cons for those that are listening in, that are considering this as an option?
[00:27:38]Jacob Ablowitz: So you made a point I think is really important. I referenced longevity in Kubernetes in general. You pointed out open source, right? I think that in the case of Big Bang and UDS, the fact that these are open-source, openly published frameworks is utterly essential to our feeling comfortable in either of those zones.
[00:28:01] Jacob Ablowitz: Because to your point, suppose the relationship did somehow break down or something happened to the provider, whether it’s a provider who’s supporting Big Bang. Or the Defense Unicorns folks, or something else. We’re not dead in the water. So Big Bang is supported by the Air Force and published by the Air Force onto GitHub, UDS is contributed to by Defense Unicorns, but actually they transferred ownership to the Linux Foundation.
[00:28:29] Jacob Ablowitz: So, it’s not just a Defense Unicorn’s tool now, which again was, I felt a key discriminator in saying this is a framework that is going to be supported beyond just this one organization. To your point, like getting stuck is a potential disaster, and so the trade-offs it’s, what are ways that we can work with systems that give government reviewers a warm fuzzy that, okay, this is like something I’ve seen before.
[00:28:58] Jacob Ablowitz: Even if I haven’t seen this exact thing, I’ve seen something like it before. Okay. I have a comfort level. Are we trying to roll our own security stack, or do we have other people that tens or hundreds of eyes on the security stack looking at it, how do we make sure not only is it compliant with 800-53, but how are we making sure that as zero days are coming out and turning into CBEs, that those things are getting addressed? How are we constantly staring at this set of problems? And, if you’re a Lockheed Martin, you have an internal team of tens or hundreds that you can assign to that problem.
[00:29:32] Jacob Ablowitz: But for a small company or even a medium-sized company, that’s a challenge. It’s not, that’s a big challenge. And my advice, first of all, I love the Defense Unicorns people. They’re good people. They have a high, frankly, give a shit factor, pardon my language, right?
[00:29:47] Jacob Ablowitz: The mission focus is there, which, don’t underestimate the importance of that too, right? If I’ve never had a business relationship where absolutely nothing went wrong at all. My philosophy on, business relationships is What do you do when something goes a little sideways?
[00:30:04] Jacob Ablowitz: How do you handle that? Do you get in and do you roll up your sleeves, and do you make, try to make it right? Or do you try and stonewall and, oh, it’s not our fault, this is your problem and I’m very careful about picking partners. Who have that, that former mentality of, okay, we’re gonna get in, we’re gonna work together, we’re gonna make it right, and over and over again, defense unicorns, Ignyte, other partners.
[00:30:24] Jacob Ablowitz: That’s a mindset that I go out of my way to cultivate and search for partners that have that view of the world.
[00:30:32] Max Aulakh: No, that’s great because I think a lot of people are looking for that, right? With not just a good, honest business partnership, but also the tech chops, right?
[00:30:41] Max Aulakh: Yep. Which is very important, and that’s right. And not, get in some sort of an odd contract where you can’t get out of it , and you’re stuck. But the reason I wanted to hear you out and have others hear you out is that you do all this work in order to get audited. And like I said earlier, an audit should be a nod event.
[00:30:59] Max Aulakh: Very easy. A couple of weeks of pain, not years and months. That’s my view that’s where I want it to go. So, how did you guys select us? Because we’re a. We don’t have a bunch of past performance, to be honest. We haven’t done like thousands of audits. Now I have as a prior Airman, but Ignyte as a company, we haven’t.
[00:31:17] Max Aulakh: So what was your evaluation criteria? Would love to hear. Like, why did you go with us? ‘Cause I do know that you guys had other options. You guys had lots of other options, right?
[00:31:26] Jacob Ablowitz: We explored many alternatives. I don’t wish to speak ill of anybody. In fact, I don’t have ill words for any of the other firms we talked with, but what struck me about Ignyte and about you is I felt like you get it.
[00:31:41] Jacob Ablowitz: I felt like you are also, I, you’re hungry, you’re a small company, you are looking for some wins and some successes, and that’s where we are too. Yeah. And so there was a certain like fundamental cultural compatibility there of, we are hungry to get out there and make a splash just like you guys are.
[00:32:00] Jacob Ablowitz: , and that felt comfortable, but it wasn’t just that right. It was, I did some due diligence on you. I asked you to share, a past performance contact. I don’t know. Oh, yeah.
[00:32:11] Max Aulakh: The Valid Eval check, man.
[00:32:12] Jacob Ablowitz: You were kind enough to give me the name of a former customer, and I called that person and he was kind enough to spend I think almost an hour with me on the phone.
[00:32:21] Jacob Ablowitz: Let me ask. Oh, nice. Yeah. And yeah, I didn’t know who spent an hour. That’s amazing. Maybe it was like 45 minutes. Yeah. I wanted to understand like, who am I getting into business with and what I took away from that conversation was the technical chops are there, the entrepreneurship mentality and the figure it out mentality is there, the integrity and truthfulness and honesty and, we don’t cross ethical lines.
[00:32:46] Jacob Ablowitz: Is there. And just, you know, what I kept hearing was things that rhyme with what I just said about, I look for people who, when something is a little off, we’re gonna figure it out. We’re gonna work together, we’re gonna be partners. And that was the kind of thing that I took away from the conversation with that gentleman.
[00:33:02] Jacob Ablowitz: The other piece is, you also mentioned you are a former airman, so I had good reason to believe, and actually Tom and some other folks confirmed, you know that Oh yeah, , I knew Max when he was in the Air Force and I know he’s done audits before, so I like, I had reason to believe that when you were saying that it was true, but that also means that yes, you have been there, done that with auditing, even if it isn’t under the Ignyte banner.
[00:33:26] Jacob Ablowitz: I’ve been nothing but pleased with that decision, that’s why I’m on this podcast right now. I really, likewise.
[00:33:31] Max Aulakh: You’ve been a good customer, man. You’ve been a great customer, and I think it’s awesome. So
[00:33:36] Max Aulakh: Say one more thing on that last topic, though.
[00:33:38] Jacob Ablowitz: I want to particularly compliment Ryan Gutwein.
[00:33:40] Jacob Ablowitz: Gutwein, Gutwein?
[00:33:42] Max Aulakh: Gutwein Yeah. He gets shrunk a lot. No. Yeah,
[00:33:45] Jacob Ablowitz: Gutwein, you know Ryan. Ryan is one of the most astute auditors I’ve encountered in my entire career. Like the technical knowledge, the understanding of what matters, and like where to prioritize, where he dug deeper, and where he said, No, I think this is good enough for me.
[00:34:05] Jacob Ablowitz: Like, I was really impressed with him. I thought he was a super high-quality partner to work with. And he did rightly hold us accountable on things like, I’m not saying he gave us a pat, right?
[00:34:17] Max Aulakh: li I was scared for a little while, Jacob.
[00:34:19] Max Aulakh: I was like, oh man, are they gonna do this? And you guys did you, you took care of it. But yes. We did our best.
[00:34:25] Jacob Ablowitz: It’s a small company, you gotta run, roll with the punches and figure things out. But that’s part of that partnership thing. So thank you for giving me that extra moment.
[00:34:33] Jacob Ablowitz: But, I really wanted to make sure to compliment Ryan. he was really impressive.
[00:34:37] Max Aulakh: Awesome. Awesome. I know we’re almost at time. So the last thing is this, right? What type of impact, market impact have you seen since you’ve got your IATO from NASA?
[00:34:52] Jacob Ablowitz: We talked about that. So, our most recent new customer is NASA and their SBIR STTR program is doing their very first round with us. Right now the evaluations are underway today and where X Tech has hundreds of proposals and hundreds of judges, NASA has not quite 2000 proposals and over 1500 judges, and that really pushed the limits of our system architecture.
[00:35:21]Jacob Ablowitz: But now we’re finding, oh boy, are we glad we went with Kubernetes, because we’ve been able to make some adjustments to configuration. And then there were some architectural things.
[00:35:29] Max Aulakh: Is it leading to more market opportunities, Jacob, since you guys have gotten this FedRAMP ready and ATO.
[00:35:36] Jacob Ablowitz: Because we had the FedRAMP ready is exactly why we got the IATO from NASA. That was a key element in giving NASA’s internal security team a comfort level to go along with an ATO, with the authorizing official who signed off. The fact that we had done that work was partly why they said, okay, we can perceive this as a tolerable level of risk.
[00:36:03] Jacob Ablowitz: Now we are working with them to try and encourage them to become a FedRAMP sponsor as opposed to just do an internal only to NASA non FedRAMP, but internal to NASA ATO only, whether interim or ongoing. Again, because we’re on the marketplace , to get the FedRAMP readiness, we had to have our FedRAMP moderate SSP ducks in a row.
[00:36:25] Max Aulakh: Yes.
[00:36:25] Jacob Ablowitz: Again, it was a key element of being able to hand that over to the NASA team and say, look, our SSP is written, we have a pretty good idea of where our gaps are and we’re working on some of the ones that we don’t even want to try to POA&M, and then other things that POA&Ms are always a thing.
[00:36:40] Jacob Ablowitz: But. It was having that preparation from having gone with the audit through you guys that let us go from being on the marketplace in March to having an ATO with NASA by the end of April to hopefully within the next. A couple of months being able to reach back out and contract you guys to do a full proper three PAO FedRAMP assessment.
[00:37:01] Jacob Ablowitz: NASA’s willing to go with it, but they’ve already told us they’re willing to pay for that effort if we can get this, that, and the other worked out. , I obviously, I can’t promise that this is a no sure thing.
[00:37:14] Max Aulakh: More, yeah, it’s creating more business opportunities for Valid Eval. It’s, which is awesome.
[00:37:17] Jacob Ablowitz: The other thing I want to compliment you again, Max. Partly of how we ended up going down that FedRAMP path was your advice of, Hey look, we Valid Eval, we need FedRAMP for the civilian market. We’re working with the Department of Transportation as well as NASA and a few other civilian, smaller civilian agency piec es engagements, Oak Ridge National Laboratories, for example.
[00:37:39]Jacob Ablowitz: But like I mentioned before, we have Army and we’re trying to get back in with Air Force. And that’s C-C-S-R-G and information levels framework. Your advice was, Hey, look, if you’re able to go down that FedRAMP path and have that civilian FedRAMP approval first, now you’re in a position to be able to put a FedRAMP authorization in front of DISA.
[00:38:03] Jacob Ablowitz: Say, look, all you need to review DISA, are these much smaller number of controls that are different between. And that was a key element of our decision making. And this goes back to what I was saying about partnership and strategy and thinking through how do we phase these things.
[00:38:19] Jacob Ablowitz: We’re not there yet in DOD, but I feel very good about being on the path. And when we’ve talked to other DOD information security professionals. Said, here’s what we’re doing. Here’s our plan, here’s our strategy. We see a lot of heads nodding. Yeah, that makes sense. Yeah. , you’ll get through dis a lot faster that way.
[00:38:35] Jacob Ablowitz: Yeah. Oh, and guess what, because we’re on these off the shelf Kubernetes frameworks and UDS in particular. We’re positioned to do automated compliance already like it, we were talking offline a few days ago. I didn’t realize that the FedRAMP 20x thing, the early pilots , are more for low impact and where we’re a moderate impact system.
[00:38:56] Jacob Ablowitz: when they were first announcing some pilots to, to try out. An automated a EO approach. I’m like, Hey, let’s, yeah, let’s do it. So far as I know, we’re ready to rock and roll. Let’s do it. Yeah, of course. , we need moderate, , so it doesn’t quite make sense at this point, but when those things are ready on the customer side, , we’re ready to rock and roll.
[00:39:13] Jacob Ablowitz: , and that’s because of getting back to what , you were talking about earlier, thinking it through step by step over time. Asking ourselves. , as Wayne Gretzky said, it’s not where the puck is now. It’s skate to where the puck is going. And I think we all see that where the puck is going in federal InfoSec is automated compliance wherever possible, because that’s the only way that this is going to be become doable with the reductions in force across the entire cybersecurity and enterprise.
[00:39:41] Max Aulakh: No, Jacob. I think that, thank you for that, by the way. I know you complimented a lot about our work, but I think that’s great. So the last question I have is this, cause I think, a lot of organizations, when they look at this whole giant ball of wax of ATO, there’s a lot of confusion about it, quite frankly. Not a lot of people are passionate about ATOS. Obviously, we are. So there’s a lot of misconceptions. I think I want you to highlight like some of the key takeaways when you’re looking at a stage, step by step, investment, crawl, walk, and run approach to it. Because a lot of people want to go straight for the IL4 or 5, 6, whatever, right?
[00:40:18] Max Aulakh: You guys did it differently, you guys, you know the raw pathway then the IATO, then the ATO, and I know you’ll get to the very end. What advice do you have?
[00:40:28] Jacob Ablowitz: Knock on wood
[00:40:30] Max Aulakh: You will, but what advice do you have people that are looking at this? ‘Cause there’s a lot of startups, man, they’re like, here’s 300k, and they believe they got the ATO.
[00:40:39] Max Aulakh: And I know that’s not true, I’ve se I’ve heard that. So what advice would you have some of, for some of these startups who are like hearing that, hey, it’s easy to get an ATO if you just pay enough? Like , how did you guys discern with that?
[00:40:53] Jacob Ablowitz: We took lots and lots of beatings over the years.
[00:40:55] Jacob Ablowitz: Learning things the hard way. You know what, with the aforementioned, ATO as a service vendor, part of the takeaway from realizing that our unique need to cross the controlled to uncontrolled boundary was a thing. Like part of that experience taught us the value of owning our own ATO as opposed to having somebody else own the ATO and then we’re on their system, we control our data.
[00:41:18] Jacob Ablowitz: Some data that’s supplied by proposers is owned by proposers. We do not claim, if you upload a proposal into Valid Eval, that doesn’t mean we’re claiming rights over your proposal. Sure.
[00:41:27] Max Aulakh: Yeah, that’s right.
[00:41:29] Jacob Ablowitz: We retain it, it goes into an S3 bucket in GovCloud for all the reasons. But you own your own a
[00:41:34] Max Aulakh: To your own.
[00:41:35] Jacob Ablowitz: Exactly, yes, and that was, that became a strategic necessity. Things I’ve seen since have suggested that it is a thing for a lot more than just us with just our particular unique situation. Owning your ATO gives you strategic optionality. As circumstances change, as drivers change, as customers, as federal agencies decide, we need to do this and this differently, we are able to react to that.
[00:42:04]] Jacob Ablowitz: We’re able to roll with those punches, and that goes back to, where did it start? There’s lots of philosophy around, begin with the end in mind. , think about where are you headed. And trying to work your way backwards from there. And really it started with, how do we make it.
[00:42:21] Jacob Ablowitz:, “relatively easy” for a government employee to look at our situation, look at our package, look at our technology and documentation and all the things, and say, well, I’m willing to take the risk of putting my name on this thing. These aren’t the people who are gonna get my name in the newspapers.
[00:42:40] Jacob Ablowitz: And I think that’s an incredibly important thing to think about, right? Government employees don’t get rewarded for success. They get punished for failure as a rule. And, I was fortunate enough to learn that as a contractor without necessarily being ever a government employee or a member of the military.
[00:42:57] Jacob Ablowitz: That gives me a lot of empathy for the person on the other side of that conversation. If I try and put myself in the framework of, okay. If something goes wrong, even if it’s not my fault, if I did all the due diligence in the world, I’m still gonna get punched.
[00:43:09] Max Aulakh: Yeah,
[00:43:09] Jacob Ablowitz: That stinks.
[00:43:10] Jacob Ablowitz: That’s a, I know that’s the government.
[00:43:12] Max Aulakh: Yeah,
[00:43:13] Jacob Ablowitz: Its not my job to make judgments on that. I’m just
[00:43:17] Max Aulakh: , this is my perception of reality. It’s a service. At the end of the day, it’s a service, and that’s what it’s. But man, Jacob, we’re at time. Okay. Thank you so much, man.
[00:43:26] Max Aulakh: This has been fantastic, but, I think this is gonna be highly valuable for a lot of folks out there. But yeah, thank you so much, Jacob, for coming on the podcast. This has been fun.
[00:43:36] Jacob Ablowitz: I appreciate you , and Ignyte, and I appreciate your time, max. It’s been a pleasure to work together. I look forward to working together more.
[00:43:42] Max Aulakh: Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com/reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.
