In this episode of ‘This Is Fine’, Matt sits down with Harold Smith III, the CEO and Founder of Monkton, to discuss the complexities of the Small Business Innovation Research (SBIR) program. They cover the program's role in government acquisition and the challenges small businesses encounter in navigating the contracting world. Matt and Harold explore the advantages of SBIR for both small businesses and the government, emphasizing the power of collaboration and user-centered design. They also address criticisms of the program, such as 'SBIR mills', and advocate for reform to encourage true innovation. Tune in to learn more about SBIR Phase 3 and how it can help your small business thrive!
Chapters:
00:00 Introduction to SBIR and Its Importance
03:01 Understanding the SBIR Program
06:12 Benefits of SBIR for Government
08:56 Challenges in Government Contracting
11:59 The Role of User-Centered Design
14:57 Critiques of the SBIR Program
18:06 Navigating the Valley of Death
20:54 The Future of SBIR and Innovation
25:24 Innovation vs. Acquisition: Understanding the Landscape
26:50 Navigating the Challenges of COVID-19
29:29 The Transition from Air Force to Space Force
32:08 Understanding the SBIR Process and Its Challenges
35:20 Technical Barriers in Government Contracting
39:06 Best Practices for Compliance and Data Management
43:40 Advice for Companies Entering the SBIR Space
47:31 Future Conversations: Expanding the Discussion on SBIRs
Keywords:
SBIR, Small Business Innovation Research, government contracting, small business, Phase I, Phase 2, Phase 3, Space Force, compliance, data management, best practice
On this episode of "This Is Fine," we dive into the controversial Windows 11 recall feature and its implications for privacy and security. Our host, Matt Triner, CEO of Hunter Strategy, along with expert guests Jake Williams, VP of Research & Development at Hunter Strategy, Jennifer Lee, Partner at Constangy, Brooks, Smith & Prophete, LLP, and Andrew King, CISO at Hunter Strategy, dissect the legal and security concerns surrounding a feature that takes screenshots of users' work every five seconds and stores them locally.
We'll explore...
Privacy Laws,
Incident Response Discoverability,
the Impact on Attorney-Client Privilege
...as well as the broader security culture at Microsoft and the call for better governance.
Tune in to learn why turning off this feature might be the best move for both enterprise users and consumers alike.
Chapters
00:00 Introduction to the Windows 11 Recall Feature
06:45 Legal Implications: Privacy Laws and Attorney-Client Privilege
08:36 Security Implications: Clear Text Information and Breach Defense
12:37 The Security Culture at Microsoft and the Lack of Governance
34:56 Recommendations: Turn Off the Recall Feature
Keywords
Windows 11 recall feature, Screenshot capture privacy risks, Legal implications of data capture, Security concerns in Windows 11, Compliance with privacy laws, Data governance challenges, Oversight in security protocols, Microsoft security governance, Attorney-client privilege risks, Incident response discoverability
On this episode of "This Is Fine," we delve into the critical topic of software supply chain security with our guests Jessica Sweet, Supply Chain Expert, and Dan Beller, Director of Cloud Engineering, at Hunter Strategy. We explore the vulnerabilities and risks tied to the software supply chain, including malicious software insertion and open-source vulnerabilities.
We'll uncover...
Common Risks,
Best Practices,
Vendor Management Challenges
...as well as how cloud technologies both enhance and complicate supply chain security.
Tune in to discover essential strategies like maintaining machine-readable SBOMs and implementing multifactor authentication to secure your software supply chain!
Chapters
00:00 Introduction and Importance of Software Supply Chain Security
02:11 Common Vulnerabilities and Risks in the Software Supply Chain
04:41 Challenges of Vendor Management in Supply Chains
09:43 The Role of Cloud in Enhancing and Complicating Supply Chain Security
15:59 Best Practices for Software Supply Chain Security
Keywords
Software Supply Chain Vulnerabilities, Risks of Malicious Software Insertion, Open-Source Security Issues, Vendor Management Challenges in Software Security, Cloud Impacts on Supply Chain Security, Best Practices for SBOMs (Software Bill of Materials), Multifactor Authentication in Supply Chains
On this episode of "This Is Fine," we dive into the cutting-edge world of Artificial Intelligence and its pivotal role in cyber threat detection. Our host, Matt Triner, is joined by special guests Matt D’vertola, the Applied AI Lead at Hunter Strategy, and Andrew King, the CISO at Hunter Strategy.
Together, they explore:
Predictive Analytics,
Automated Response Systems,
The Future of Cybersecurity,
...and the challenges we face in this dynamic field.
Tune in to learn how GPT and other large language models are revolutionizing cybersecurity and why staying ahead of AI advancements is crucial for both professionals and tech enthusiasts alike.
Chapters
00:00 Introduction to AI technologies in cyber threat detection
03:12 Practical applications of AI in compliance and redaction
06:49 The importance of human validation and risk-based decision-making
25:49 Measuring the impact of AI: Mean toil time and quality written pieces
Keywords
GPT, LLMs, Cyber Threat Detection, AI Technologies, Traditional Approaches, Junior Analysts, Compliance, Redaction, Human Validation, Risk-Based Decision-Making, Automation, Mean Toil Time, Quality Written Pieces
On this episode of "This Is Fine," we explore insider threat mitigation strategies for small-to-medium sized businesses. Often at a disadvantage due to limited resources, these companies can face unique challenges in effectively detecting and preventing insider threats. We'll help to provide effective strategies to help bridge this gap and safeguard your organization.
Joining us is Andrew King, Chief Information Security Officer, and Joel Cabrera, Director of Security Operations, here at Hunter Strategy. Their experience and understanding of cybersecurity challenges faced by businesses of all sizes help to provide invaluable insights into effective insider threat mitigation strategies, specifically tailored for small to medium enterprises.
So, whether you're a business owner, an IT professional, or simply curious about insider threat mitigation best practices, sit back and tune in as we share how small businesses can confidently and resiliently navigate the complex landscape of insider threats.
Want to learn more about the Google Security Checklist mentioned in this episode? Click here! Security checklist for medium and large businesses (100+ users) - Google Workspace Admin Help
Chapters:
00:00 Introduction and Context: Insider Threats in SMBs
01:26 Overlaying Insider Threat Intelligence Programs
04:45 Prevention and Detection Strategies
06:30 Hardening Your Environment and Role-Based Access Control
09:55 Microsoft Tools for Insider Threat Mitigation
11:35 The Role of Company Culture in Insider Threat Mitigation
14:19 User Access Audits and Minimizing Access
16:07 Data Classification and Labeling
20:03 Differentiating Startups and SMBs
23:06 User Access Management and Deprovisioning
On this episode of "This Is Fine," we tackle securing mobile applications for military use with security expert, Harold Smith III. Harold, Co-Founder & CEO of Monkton (a secure mobile app provider) and owner of the MATTER IDIQ, joins us to navigate the complexities of NIAP Certification for military apps.
We'll uncover...
...for deploying secure mobile applications on the battlefield.
Tune in and discover how you can help to protect our troops, one app at a time!
Chapters:
00:00 Introduction and the Role of Contracts Officers
00:45 The Importance of Secure Mobile Applications for Military Use
02:12 Monkton's Journey and the NIAP Certification Process
06:37 The Challenges and Rarity of Going Through NIAP Evaluation
10:50 The Baseline Importance of NIAP Requirements
15:54 The Need to Stay Ahead in Secure App Development
17:38 The Current State of Software Development and Security
20:54 Building Secure Mobile Apps from the Beginning
21:43 Data Security and Architecture in Mobile App Development
23:03 Native Mobile Applications and Cloud Services
24:02 Cost Savings and Efficiency with Functions Platform as a Service
25:46 Challenges and Education for Contracting Officers
32:23 The Importance of Collaboration and Innovation in Government
Keywords:
secure mobile applications, NIAP certification, National Information Assurance Partnership, authentication mechanisms, legacy systems, future of app development, data security, mobile app development, native applications, cloud services, Amazon Lambda, DynamoDB, SBIR, small-business-innovation-research, set-aside programs, edge computing
On today’s special episode of “This Is Fine”, we unpack the very recent global CrowdStrike outage. CrowdStrike is an industry leading cybersecurity company that provides endpoint detection and response (EDR) software. On the morning of July 19th, 2024, CrowdStrike released a faulty update that impacted Microsoft Windows systems, leading to a widespread outage in industries varying from the airlines to emergency services.
To help us unpack what went wrong, we’re joined by Jake Williams, VP of Research and Development here at Hunter Strategy. In light of this problematic update, Matt and Jake discuss planning methods like balancing security needs with operational needs, mitigating disruption through staged deployments, providing clear communication during outages, and managing data confidentiality and system availability with BitLocker management.
Listen now and learn how you can improve your organization’s security posture and incident response plan from today’s CrowdStrike outage!
References mentioned in today’s episode: Jake’s Tweets: https://x.com/MalwareJake/status/1814183916099780886 / https://x.com/MalwareJake/status/1814295097204449318 Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers: https://www.amazon.com/Sandworm-Cyberwar-Kremlins-Dangerous-Hackers/dp/0385544405
This week, we're exploring a topic at the intersection of cloud services and national defense: FedRAMP Equivalence. New requirements introduced by the DoD CIO may bring significant changes for cloud vendors eager to supply the Defense Industrial Base.
We are joined by our special guest, Alex Trafton, Senior Managing Director from Ankura Consulting. Alex’s core focus is on regulatory and compliance frameworks within the defense industry. Alex leads a practice focused on helping organizations meet some of the most stringent compliance frameworks such as FedRAMP, CMMC, and NIST 800-171.
Join us as we discuss the changes to FedRAMP equivalence and the impacts they will have on the DIB and organizations looking to serve it.
Chapters:
00:00 Introduction and Background
06:16 The Need for FedRAMP Equivalence
13:30 The Role of Third-Party Assessors
29:07 Strategic advice for vendors
37:51 Navigating the regulatory requirements
In this episode, we explore Cyber Fusion Centers and how they deliver measurable impact to your organization's security posture. We’re joined today by our very own Andrew (AJ) King, Chief Information Security Officer, and Joel Cabrera, Director of Security Operations to discuss the impact our cyber fusion center has for our clients.
AJ and Joel break down the core components of a successful fusion center:
Progress over perfection
People, process, technology (in that order)
Proactive communication
Listen now to discover how Hunter’s approach to building Cyber Fusion Centers transforms our client’s security strategy!
Chapters
00:00 Introduction and Flow of Conversation
03:00 The Concept of Cyber Fusion Centers
11:03 Ecosystem and Integration in Fusion Centers
30:49 Mistakes to Avoid in Implementing Security Programs
37:05 Conclusion and Closing Remarks
Today’s episode takes you on a (somewhat procedural) ride through the world of government security authorizations. Matt Triner and Chris Sowards, a GRC (Governance, Risk, and Compliance) expert at Hunter Strategy, break down the Authority to Operate (ATO) process using a relatable analogy: buying a car. Just like how buying a car is a decision that involves cost, efficiency and risk, the government needs to use a multitude of factors to review the security risks before allowing a system to operate.
We'll explore the differences in ATO processes between agencies, how they handle risk tolerance, and the challenges companies face, like dealing with non-essential controls and navigating compliance culture. Matt and Chris talk through a range of topics offering advice for new companies and discuss the struggles of FedRAMP accreditation. They’ll even touch on the specific challenges faced by software vendors in obtaining ATOs.
Don't miss this episode if you're interested in government risk and compliance, selling software to the government, or wonder why it takes so long for the government to get new systems online!
Chapters:
00:00 Introduction to ATO Process
01:29 ATO Process Analogy: Buying a Car
03:02 Different ATO Processes for Different Agencies
04:55 Different Risk Tolerance for Different Agencies
06:10 Challenges in the ATO Process
08:02 Dealing with Non-Applicable Controls
09:30 Navigating ATO Process for New Companies
11:09 Bizarre Situations in ATO Remediation
12:31 Navigating Compliance and Mitigating Controls
13:23 Teaching Assessors about System Security
14:45 Advice for Companies Selling to the Government
17:23 ATO for On-Prem Software in the Cloud
19:19 Challenges with Cloud-Based Systems
21:33 Struggles with FedRAMP Accreditation
25:02 ATO for Software Providers
27:09 ATO Challenges for Atlassian Suite
28:58 Using AWS Infrastructure for On-Premise Jira
29:57 Challenges in Assessing SAS Applications
30:36 The Role of Third-Party Assessors
31:24 Conclusion and Future Topics
Welcome to "This Is Fine," the podcast by Hunter Strategy where we tackle key issues in technology and security within Department of Defense (DoD) networks. This week, we're focusing on Continuous Monitoring and Risk Assessment in DoD Networks.
Our guests are Dan Beller, Director of Platform Engineering at Hunter Strategy, and Chris Sowards, a GRC (Governance, Risk, and Compliance) expert with the company. Dan has significant experience in supporting continuous monitoring for DoD networks, making him a key voice on this topic. Chris brings his expertise in risk assessment and governance, offering insights into the strategic side of network security.
Together, Dan and Chris will provide a practical look at how continuous monitoring and risk assessment are carried out in DoD networks, highlighting their importance in maintaining national security. This episode is essential for anyone interested in the technical and strategic aspects of cybersecurity within the DoD.
Whether you're a cybersecurity professional, a student of the field, or simply interested in the security measures that protect our country's digital frontiers, this episode promises to be both enlightening and engaging. So, tune in, and let's explore the depths of Continuous Monitoring and Risk Assessment in DoD Networks with Dan Beller and Chris Sowards.
Chapters
00:00 Introduction to Continuous Monitoring and Risk Assessment
03:11 Continuous Monitoring and the ATO Process
06:11 Continuous Monitoring and System Modifications
09:39 Evolution of Continuous Monitoring
12:10 Assessment and Compliance in Continuous Monitoring
18:06 Tooling and Automation in Continuous Monitoring
21:36 Future Trends in Continuous Monitoring
24:36 Building Trust and Relationships
25:15 Challenges in Generating Artifacts
26:01 Automating ATO Process
28:20 GRC as a Gateway into Cybersecurity
29:32 The Value of GRC Professionals
30:01 The Importance of GRC in Software Development
31:23 The Need for Improved Tooling
32:40 The Role of OSCAL in Trusting Tooling
34:03 Tools for Managing Disparate Scanning Results
35:24 The Challenge of Limited Authorizations
36:23 Collaboration and Human Readability in OSCAL
39:39 The Need for Connected Governance
42:35 Measuring the Success of Continuous Monitoring
Today’s episode dives deep into the world of federal RFPs, specifically the pros and cons of technical challenges compared to traditional proposals. Join our guests from Hunter Strategy, including Kevin Belanga, Chief Strategy Officer, and Jeff Segal, Chief Technology Officer, along with Kevin Long, Vice President of National Security Solutions group, Highlight. Together, they untangle the different forms these challenges take, and the work of crafting tailored solutions to meet mission requirements
But it's not all about the challenge itself. We also explore the delicate balance between evaluating technical capabilities and overall fit, the impact on small and medium businesses, and the need for a shift in skillsets when reviewing proposals. We'll uncover the effectiveness of different strategies in government contracting, especially when it comes to technology development and maintenance. Finally, we wrap up by tackling the age-old question: can you truly get the best quality at the best price in government contracting?
Tune in for an insightful discussion that will leave you better equipped to navigate the ever-evolving landscape of federal procurement!
Chapters
00:00 Technical Challenges in Federal RFPs
01:26 Different Ways of Manifesting Technical Challenges
03:25 Defining Challenges that Align with Mission Requirements
04:57 Balancing Technical Competence and Evaluation
06:33 The Role of External Support in Source Selection
08:18 Ensuring Technical Competence in Vendor Selection
09:22 The Challenge of Staffing and Execution
11:19 Balancing Procurement Burden and Technical Competence
12:30 The Burden on Small and Medium-sized Businesses
13:06 The Need for Different Skill Sets in Proposal Evaluation
14:18 Theatrics in In-person Code Challenges
16:08 The Value and Challenges of Orals
19:03 Alternative Approaches to Procurement
21:20 The Value of Advisory Down Selects
25:46 The Use of Videos and Performance Art in Procurement
27:16 Effectiveness of Different Procurement Approaches
37:16 Different Procurement Approaches
39:55 RFPs and Alternative Procurement
42:00 Orals for Better Results
44:48 Commoditized Services and Help Desk
45:16 Paying for Quality
Join us for the latest episode of "This Is Fine", where Matt D'vertola, Senior DevOps Engineer, and Michael Christopherson, Senior DevSecOps Engineer, dive into the complexities of modernizing outdated computer systems within the Department of Defense (DoD). Discover the hurdles hindering the adoption of modern DevSecOps practices, as Matt and Michael share their insights on navigating bureaucratic challenges and barriers, with a focus on leveraging technologies like Kubernetes. Matt and Michael advocate for better resources and training to ease the transition from the private to the public sector. They challenge conventional thought by suggesting a reevaluation of legacy systems, proposing a truly cloud native refactoring approach. Tune in to gain actionable strategies and insights that transcend traditional cybersecurity discussions and learn how to navigate the unique challenges of implementing DevSecOps practices in highly regulated environments.
Chapters
00:00 Introduction
13:14 The Impact of Outdated Computer Systems
19:03 Challenges of Migrating to Cloud
22:26 Bureaucratic Hurdles and Cultural Resistance
31:07 The Use of Kubernetes in DoD
37:49 The Role of DoD Hosting Providers
42:26 Recommendations for Improvement
42:43 Improving Acquisition and Workforce Training
47:20 Explaining Cloud Concepts and Compliance
51:13 Sharing Knowledge and Best Practices
52:41 Rethinking Legacy Systems
55:01 Closing Remarks
In this episode, we explore the dark corners of agile practices, uncovering common pitfalls, misconceptions, and counterproductive behaviors that can hinder team progress and undermine the principles of agile. Our guests, Jeff Siegel and Greg Vanore, Chief Technology Officer and Director of Software Engineering at Hunter Strategy, share their insights and experiences, providing valuable guidance for navigating the world of anti-patterns in agile. They shed light on the warning signs, analyze root causes, and offer actionable strategies to avoid or mitigate these anti-patterns.
Welcome to "This Is Fine" with Hunter Strategy, because who doesn't need another podcast, right? But hold on, this isn't your typical corporate spiel. "This Is Fine" dives deep into Cloud security and agile methods, but with a twist of humor, sarcasm, and a sprinkle of dad jokes. Instead of boring PDFs, we bring lively discussions to life, offering a peek behind the curtain at our quirky team. Join us for a roller coaster ride through tech talk and more. Trust us, it's going to be fine... probably!