►
From YouTube: CNCF SIG Security 2020-06-03
Description
CNCF SIG Security 2020-06-03
C
B
C
B
B
B
B
C
E
C
C
C
H
C
C
That
we
had
open-
and
we
think
some
good
issues,
especially
if
you're
looking
to
contribute
some
way,
that
a
couple
that
I
got
to
look
at
and
then
we
have
Tim
we're
just
gonna
bring
back
bring
us
back
to
the
conversation
we
had
on
given
Tina
community
security,
yep
yeah,
so
I
think
that
we'll
we'll
start
with
check-ins
with
well,
we
with
the
not
two
minutes
so
that
people
can
resolve
zoom
issues
coming
in
and
then
we'll
do.
Check-Ins
will
go
through
some
of
the
issues
quickly
and
I.
C
I
C
C
That's
I
also
know
wait
another
minute.
It
looks
like
that
couple
people
there
with
the
connecting
on
the
resume
call.
Oh
good,
okay,
looks
like
everyone's
like
that
now
so
yeah,
that's
that
we're
check-ins,
but
before
that
we
still
need
scribes,
I
think
if
anyone
can
volunteer
subscribe.
That
would
be
great.
You
can
put
their
name
down
in
the
describe
section.
Thank
you
so
much
Kevin.
C
C
D
The
assessment
was
like,
let's
start
digging
into
the
code
and
poking
at
things
and
doing
all
sorts
of
stuff
like
that
and
I
think
we
should
have
a
conversation
around
that,
because
his
inclination,
which
I
think
is
right,
is
that
if
we
had
the
resources
having
somebody
do
very
quick
like
poke
at
things
like
this
might
not
be
a
bad
thing.
That
clued
as
part
of
the
assessment
process,
but
would
be
also
I,
have
a
bunch
of
logistical
and
other
problems
that
we
should
discuss
next
week.
All.
J
J
We
had
no
an
opportunity
to
chat
last
night
and
you
know
she's
currently
at
kind
of
an
hour
a
day,
health
rhythm,
you
know-
and
you
know
really
in
kind
of
an
on
state.
So
now
definitely
are
your
thoughts
being
with
her
be
appreciated,
yeah
she
stuck
in
Boston
away
from
her
family.
You
know
dealing
this
as
well,
so
you
know
even
even
worse.
Her
spirits
are
good,
but
you
know
it
is
now
been
twelve
weeks
since
she
first
got
sick
and
she
is
grappling
with
things
like.
J
J
J
J
The
next
chair
that
will
replace
me
in
September.
So
over
the
next
couple
weeks
we
were
working
with
the
tech,
leagues
and
our
TOC
liaison
to
put
down
the
the
criteria
that
we're
looking
for
in
our
co-chairs
and
trying
to
find
that
process.
So,
if
anyone
you
know,
has
insights
on,
you
know
similar
processes,
I've
gone
through
a
number
of
executive
leadership
searches.
J
You
know
they
tend
to
be
a
bit
closed
circle.
You
know
things
at
the
end
of
the
day
and
yet
we'd
really
like
to
open
that
up
a
little
bit
more
and
make
sure
that
that
we're,
you
know
leveraging
this
opportunity
as
an
opportunity
to
you,
know,
grow
and
invest
in
this
thing.
You
know,
for
the
long
term,
in
that
we
may
be
evaluating.
I
guess
is,
in
addition
to
the
mind
mugging.
K
J
My
term,
you
know
there
is
the
possibility
that
we
were
gonna
have
to
grapple
with,
that
Sara
might
not
be
able
to
come
back
and
so
we're
evaluating
whether
we
move
from
you're
doing
a
individual
search
to
potentially
new,
using
this
opportunity
to
seek
out
to
individuals
that
could
conserved
in
this
capacity.
Yes,
sir,
makes
a
judgment
call
of
it
and
that
she's
going
to
have
to
you
know
really.
You
know,
cut
good
listening
folks
or
help.
D
D
So
doing
things
like,
for
instance,
officially,
the
chairs
are
supposed
to
be
approving
the
conflict
statement
for
the
people
that
do
security
assessments,
but
due
to
some
of
the
delays
that
we've
had,
you
know
due
to
people,
tell
us
and
other
things
like
that.
I've
been
sort
of
doing
that.
So
if
anyone
has
any
reservations
or
concerns
about
any
of
those
actions
or
anything
we're
not
doing
this,
you
know
because
we're
you
know
trying
to
like
you
know
we're
trying
to
do.
D
M
D
I
B
Right
things
so
I
have
two
tickets
linked
my
update
to
77,
so
many
seven
is
mostly
done.
My
due
diligence
of
members
and
members
of
content
by
the
group,
the
majority
of
its
already
complete
the
last
thing-
that's
outstanding,
is
adding
a
section
to
are
contributing
to
talk
about
when
we're
reporting
issues
that
we
find.
B
This
is
the
vulnerability
or
sensitivity
in
the
security
of
a
particular
project
that
we
have
that
we
have
a
reasonable
understanding
that
it's
not
confirmed.
It's
not
official.
It's
a
discussion
to
the
conversation.
This
goes
along
the
lines
of
rolling
driver,
we're
doing
a
security
assessment
endorsement
of
the
security
of
project
Mora.
But
it's
us
looking
at
everything.
C
B
I
just
commented
on
that
days
ago,
and
so
I'll
go
ahead
and
make
State,
and
somebody
can
work
it,
but
or
I
will
get
it
done
as
far
as
security
day
goes,
so
did
a
little
bit
of
research
and
I
reached
out
to
Megan,
who
is
kind
of
working
with
Amy,
myself
and
Michael
about
what's
going
on
with
security
day.
So
if
you've
gone,
Europe
turned
into
a
virtual
event,
so
there
is
going
to
be
a
virtual
security
day.
Stays
zero
I
believe
the
date
is
August
17th.
B
G
That
is
correct.
We
have
a
deadline
Friday
for
speakers
to
confirm
I
believe,
which
is
why
things
are
kind
of
a
little
in
flux
around
like
what
the
schedule
actually
is,
but,
as
we
know
more
well,
we'll
know
more.
K
G
G
To
my
knowledge,
but
if
we
come
up
with
anything
we'll
let
you
know
all.
K
Just
merged
the
pull
request
extending
danced
officially
because
it
just
approved
it,
so
that's
now
officially
done
all
right.
Thank
you.
Nothing
else,
I
think
and
think
of
a
second.
N
K
N
Honestly,
don't
know
I
think
that
having
somebody
as
with
the
commitment
on
the
repository
as
somebody
who
can
take
care
of
those
would
be
ideal
to
me
feels
that
people
are
waiting
for
me
to
approve
for
requests.
But
then
I
can
approve
full
request,
but
I
cannot
merge
them.
Something.
There's
like
round-trip
time,
I
wonder,
there's
a
conversation
that
we
can
have
on
that
regard.
I.
K
C
N
Know
I
think
I
think
I
can
approve.
I
will
do
it
with
you,
and
probably
we
can
do
this
offline
I
just
wanted
it
since
I've
been
absent
for
a
little
while
I
was
I,
wasn't
sure
if
there
was
something
set
up
in
such
a
way
that
I
could
either
just
approve
it
and
wait
for
it
to
be
merged
and
probably
paint
the
right
person
or
or
apply
for
like
having
commit
bit
under
certain
namespace
or
something
yeah.
C
J
J
The
way
we
found
that
we
can
sort
of
extend
that
without
sort
of
you
know,
adding
a
bunch
of
admins
or
publishes
is
designating
Co
donors,
and
you
know
I
think
that
that
would
be
entirely
appropriate.
In
this
case,
we
can
set
it
up
in
the
github
folder
that
github
folder
there's
a
code
owners
dock
there's
not
not
called
code
owners.
C
J
You
know
Justin
Justin
earlier
comment,
you
know
we
want
to
enable
us
to
move
forward
effectively
and
is
there
anything
you
know
this?
Are
you
know
what
we're
grappling
with
the
chair
level
has
gone
on
for
quite
a
long
time
and
anything
that
we
can
do
to
streamline
that
and
empower
you
know.
Leaders
in
this
group
to
you
know,
carry
things
forward.
We
want
to
make
sure
that
were
prior,
didn't
yeah.
C
N
C
All
right
cool
yeah.
Let's
think
about
that
all
right
and
it
seems
like
no
updates
other
than
Tim,
which
we'll
talk
about
data
in
the
agenda.
So
I'm
just
gonna
go
to
quickly
the
first
part
of
what
we
wanted
to
talk
about,
and
then
we
can
jump
right
into
the
DoD
stuff
which
I
think
it's
more
interesting.
C
All
right,
so
we
have
this
he'll
want
attack
that
couple
issues
that
attack
right
now.
So
if
you're
curious
about
contributing
in
some
way,
I
think
these
are
some
of
the
issues
which
we've
identified.
This
kind
of
we
really
really
like
to
have
right
now
the
couple
here.
Some
of
them
are
more
processing
government
governance,
space,
some
of
them
kind
of
like
technical,
a
bit
of
technical
work,
so
I
think
the
technical
ones
these
ones
I
oughta
my
ultimate
scribe
process
for
cloud
tools.
C
If
I
start
our
guidelines
and
a
few
more,
which
I
think
Emily
talked
about
just
now,
which
is
the
due
diligence.
So
if
you
find
something
in
assessment,
what
you
do
with
that
and
also
assessment
listing,
which
is
like
right
now,
we
have
all
the
assessments
and
all
the
materials
for
the
assessment
within
the
assessment
folder,
but
isn't
really.
C
Presented
in
a
way
which,
if
you
didn't
know
the
folders
meant
different
assessments,
you
wouldn't
be
able
to
really
find
it
and
I
think
the
last
one
that
we
have
here
is
defining
about
the
observer
role
is
during
assessment.
I
think
we
talked
about
this
before
and
I
believe
I'm,
not
sure
Justin.
During
the
last
assessment.
Do
we
have
a
couple
people
that
were
kind
of
observing
during
calculus
again,
if.
D
We
did,
but
it
wasn't
like
we've
never
really
formally
had
this
role
do
anything.
It
was
just
sort
of
like
I
want
to
participate,
but
I
don't
want
to
actually
be
like
ask
why
I
didn't
do
anything
in
the
end?
If
I
didn't
do
anything,
that's
effectively
the
way
it's
been
treated,
it's
like
a
student
auditing,
a
class
almost
so
I
think
we
could
have
a
more
formal
process
around
this,
but
I
also
don't
know.
Has
anyone
here
been
in
that
role
and
found
it
useful
to
be
labeled
as
an
observer.
D
So
I
think
that
silence
probably
says
a
lot.
I
would
be
happy
with
just
saying
I.
Think
more
structure
around
a
role
that
we
haven't
used
is
probably
not
that
important
I
think
just
saying
that
they're
not
actually
responsible.
You
know,
but
you
know,
have
access
to
everything
and
should
feel
free
to
comment.
Then
you
know,
but
that
that
maybe
would
be
the
better
way
to
to
frame
it.
C
Okay,
so
so
not
not
really
like
a
role
in
gender
role,
but
something
like
if
you're
curious
about
assessments
and
kind
of
want
to
see
what's
going
on,
you
like
here,
is
how
to
see
where
the
assessment
is
happening
you
can
here
is
how
you
should
follow
things.
You
can
do
like
click
on
the
self-assessment,
think
and
look
read
the
comments
and
stuff
like
that.
D
M
J
Had
that
role,
you
know,
because
my
aspirations
in
that
role
word
to
you,
know
kind
of,
have
those
individuals
be
mentees
and
you
know
preparing
themselves
to
become
members
in
the
future.
Is
it
is
it
you
know
worth
considering?
Maybe
not
you
know
publishing
the
list
of
observers
if
we're
not
expecting
them
to
do
much.
I
would
be
fine
with
that
lack
of
attribution,
I.
O
J
B
J
I
was
just
saying
that
you
know
totally
agrees
that
individuals
that
are
coming
in
and
you
know
looking
for
mentorship
and
looking
to
participate.
You
know
that
that
is,
you
know
what
be
great
to
have
them.
You
know
listed
in
the
assessment,
and
you
know
in
that
committing
to
doing
the
work,
and
then
we
kind
of
deprioritize
the
observer
role.
It
folks
wanted.
You
know
common
and-
and
you
know
be
in
the
room-
that's
great,
but
we
shouldn't
be.
You
know
really
promoting
that.
We
need
more
Assessors
and
we're
happy
to
have.
C
D
Right
one
other
thing
happened
during
the
assessment,
possibly
to
float
this
week.
That
I
wanted
to
mention
really
quickly.
Sorry,
it's
semi-related,
which
is
that
we
had
a
couple
of
professors
that
realized
they
didn't
have
time
to
do
the
assessment
and
they
were
really
upfront
about
that.
And
so,
as
a
result,
I
was
able
to
go
and
recruit
more
people
to
come
in
to
participate.
D
So
if,
for
some
reason,
you're
not
able
to
participate
in
an
assessment,
tell
us
because
sometimes
you
know
it's
often
hard
to
tell
the
difference
between
somebody
who
is
making
a
bunch
of
notes
but
hasn't
said
anything
yet,
and
somebody
who
really
is
doesn't
have
so
yeah.
You
know
kudos
to
both
of
the
reviewers
that
had
to
pull
out
for
for
being
the
Assessors
that
had
to
flop
for
being
upfront
about
it.
H
Sure
why
don't
I
share
my
screen
with
the
document?
All
right,
let
me
see
if
I
do
this.
H
Here
you
go,
so
you
can
see
the
summary
which
I've
shared
I'm
in
the
group
and
also
with
a
handful
of
folks
who
I've
spoken
with
in
the
past,
like
directly
Emily
and
Justin
stuff,
to
help
socialize
it.
But
this
provides
the
background.
Basically,
the
Department
of
Defense
is
putting
together
the
equivalent
of
like
a
specification
called
a
Stig,
which
is
the
security
tent
technical
implementation
guide
and
I'll
show
you
what's
been
written
so
far,
and
then
there's
links
to
an
example
of
the
Stig
and
the
high
level
thing
was.
H
What
is
it
that
somebody
can
do
to
control
a
kubernetes
or
container
environment
is
in
the
case
of
the
Department
of
Defense,
and
they
kind
of
made
it
as
a
checklist.
But
in
talking
with
them
we
elicited
know.
What
we
really
want
is
its
to
be
something
that's
executed
as
as
code,
and
then
the
guidance
was
yeah.
H
Like
not
the
basic
meat
and
potatoes,
but
the
things
that
people
often
forget
and
should
consider
if
they
want
to
really
push
the
edge
on
security,
so
that's
sort
of
the
what
the
Charter
is
and
I'll
give
you
an
example
of
what
things
were
done,
but
here
you
can
kind
of
see
that
was
the
example
of
the
architecture,
there's
more
detail
on
their
actual
PowerPoint
deck,
which
they
shared
with
me.
If
you
want
to
take
a
look
at
it,
let
me
show
you
at
what's
been
done
to
date.
H
Let
me
just
figure
how
to
share
my
screen
here
here.
Go
so
so
what
they've
done
is
they've
asked
a
bunch
of
different
vendors,
like
a
TBS,
Red,
Hat's
Blanc,
to
come
in
and
put
their
recommendations.
You
can
see
my
screen.
It's
a
it's!
It's
a
excel
file
with
you,
okay
cool,
so
you
can
see
they
just
put
what
it
is.
A
short
description
you
know,
and
I
recommend
and
I
was
communicating
with
the
the
people
in
the
process
of
the
Tod
Nick.
H
H
Some
people
haven't
any
of
us,
hasn't
done
that,
so
you
can
kind
of
see,
there's
also
a
set
of
categories,
so
the
stig
that's
where
I
meant
it's
a
security
for
technical
implementation
guide
and
then
here's
how
they
described
them
so
far,
and
so
the
promise
of
these
have
been
done
sort
of
in
March.
It
was
just
slow
for
me
to
kind
of
like
get
get
going,
but
this
is
like
an
ongoing
thing
and
they're.
They
do
want
it
from
the
community
said
it's
gonna
be
harder
because
it's
we're
not
a
vendor.
H
We
can't
just
dedicate
a
person
who's
doing
it,
but
here
I'm,
just
showing
you
kind
of
like
the
types
of
things
that
they
have
and
I.
Think
for
me,
what
would
be
valuable
from
the
community
is.
A
lot
of
these
are
like
config
settings
on
kubernetes,
but
you
know
he's
open,
as
you
saw
in
that
earlier
diagram.
Let
me
just
stop
this.
You
know
they
have
a
pretty
expansive.
H
Recommendations
in
general,
like
if
you'll
go
back
to
it,
let
me
see
if
I
can
go
back
and
share
that
hold
on
there.
Just
that's
just
attribution
who
authored
it.
So
these
were
just
companies
that
they're
involved,
but
these
most
of
the
I
did
a
spot
check
and
they
don't
seem
like
they're
specific
to
their
solution.
A
lot
of
them
are
just
things.
H
Where
is
it
and
then
the
actual
source
thing
is
like
they
have
a
lot
of
things
here
and
many
of
them
they
just
they
want
to
get
as
much
open
source
spot
like
they
do
have
commercial
products
here,
but
his
interest
is
how
much
can
we
get
is
open
source?
So,
if
there's
an
open
source
solution,
which
is
why
I
reached
out
to
some
maintainer
of
specific
projects
that
augments
and
improves
and
moves
the
state
of
the
art
of
security
that
that's
okay,
to,
like
you
can
say,
your
it's
from
CN
CF
or
your
project?
H
Oh
yeah,
sure.
Let
me
see
here
and
I
can
open
up
the
presentation
that
people
want.
This
is
like
the
summary
version,
and
then
he
has
a
whole
list
in
the
PowerPoint
which
I
can
try
to
open
up
shortly.
But
this
is
like
an
example
of
what
they
have
already
or
they're
looking
at
and
see
it's
a
mix
of
commercial
and
not,
and
so
that's
why
they
invited
a
bunch
of
commercial.
But
he
in
conversations
and
in
just
talking
about
the
project,
is
part
of
the
kickoff.
H
They
want
to
have
as
much
open
source
as
possible
and
so
to
me.
What
was
interesting
is
this
lets
not
constrain
ourselves
to
just
what's
a
config
setting
in
kubernetes
or
on
the
underlying
platform.
But
there
are
things
like
I
talked
to
mr.
hey.
We
really
need
to
look
at
supply
thing.
Here's
an
agreement
and
so
I
know
there's
some
projects
that
are
looking
more
at
the
overall
securing
of
the
supply
chain
of
the
of
the
software
distribution
and.
F
H
I
think
so
and
from
his
has
been
like
I
think
so
he
hasn't
written
it
in
a
doc
document
exactly
that
way.
But
in
our
discussions
likes
open
source,
he
wants
to
push
the
limits
on.
You
know
what
is
really
secure.
He
wants
to
really
make
this
super
secure
and
I
and
in
he
doesn't
want
to
sort
of
the
mean
Palos
Oh,
make
sure
there's
a
namespace
to
find
her.
You
know
close
ports
like
he
understands
those
things
and
once
does
list
it
out,
but
I
think
he
is.
H
He
wants
to
have
that
and
then
once
we
see
those
things,
we've
talked
about
having
briefings
with
open
source
projects
that
can
help
him
to
make
this
like
his
end
goal
is
if
it
helps
to
make
it
like
drop
dead,
secure
and
it
can
be
executed
as
code.
Then
he
wants
that
as
a
part
of
a
consideration.
So.
P
This
is
Underwood,
so
I
thought
there's
there's
more
involved
in
it.
So
I
heard
him
give
a
talk
about
this
last
year,
yeah
he
was
booking
a
kook
on
this
right.
I
didn't
see
him.
There
was
the
different
timing,
but
okay,
he
the
pitch
he
was
making
to
other
agencies
in
the
government.
Was
this
is
going
to
be
an
approved
stack.
That's
already
approved.
You
can
roll
this
in
without
having
to
go
through
agency
approvals.
That's
right
so.
P
H
I
know
yeah
yeah,
so,
yes,
he
wants
to
have
some
that's
been
pre-approved
because
they
have
an
a
ot
process
which
is
sort
of
you
know
long,
but
it's
not
hardened
like
meaning
they're,
not
prescriptive.
You
can
only
do
it
one
way,
the
you
know,
that's
he's
trying
to
keep
it
open,
but
he's
trying
to
hey
this
is
this?
These
set
of
things
are
approved,
but
it's
not
like
hardened
like
meaning.
You
can
only
use
this
one
tool
because,
as
you
can
see,
he's
a
lot
of
things
that
are
comp
like
competitive
or
overlap.
Sure.
C
C
H
B
Nick
is
working
on
yeah,
so
I
just
want
to
piggyback
off
a
Brandon
and
kind
of
soak
up
the
activity.
Do
this
onto
your
basis
and
we're
more
than
happy
to
look
at
whatever
documentation
you
might
provide,
but
specifically,
what
you're
asking
for,
if
I'm
understanding
correctly
is
for
kubernetes
deployment.
If
the
recommendations
that
are
provided
in
the
spreadsheet
that
you
guys
have
already
gone
through,
do
do
we
agree
with
them
or
do
we
feel
like
there's
any
that
are
missing
or
if
there's
any
caveats
about
the
first
path.
B
H
H
How
do
you
deploy
containers
and
kubernetes,
but
we
know
that
that
isn't
just
a
setting
on
kubernetes
or
some
other
things,
so
this
is
kind
of
like
the
closest
I
can
give
in
terms
of
scope
he
gave
he
said,
here's
some
examples
of
other
things,
but
I
don't
want
to.
Let
you
didn't
want
to
limit
it,
because
you
don't
want
to
limit
the
scope
on
which
people
are
thinking
about
potential
attack,
vectors
or
security
compromised
area
so
that
that's
kind
of
the
best
I
can
Tim
this.
Q
Is
Pam
I
have
a
question
so,
as
you
were
hearing
that
flash
slide,
yeah
I'm,
not
I,
guess
I'm
slightly
though,
but
confuses
what
I'm
looking
at.
So
it
doesn't
really
seem
like
anything
outside
of
a
secure,
CI
CD
on
top
of
premier
defense
and
like
continued
security
monitoring
right
I
mean
this
thing
here.
Q
Yeah
right
so
I
mean
is
the
intent
of
that
to
to
create
a
platform
that
has
I
think
it
was
mark
Underwood
that
mentioned
more
of
baked-in
platform,
so
that
it's
an
all-in-one
compass
and
you
don't
have
to
go
and
get
all
these
little.
You
know
all
these
different
pieces
and
have
to
integrate
them.
It's
just
a
platform
with
simple
integration
that
provides
you
all
from
a
step
by
step.
H
J
Ahead,
yeah,
it's
very
unlikely
that
this
will
be
packaged
up.
You
know
back
in
2000,
I
was
a
defense
contractor
and
you
know
build
software
to
get
deployed
on
the
internal
DoD
Network
and
there's
just
a
really
extensive.
You
know
assessment
and
approval
process,
and
so
you
know
by
having
clear
answers
to
all
of
the
you
know,
kind
of
reams
and
reams
of
pages
of
checklist.
J
Q
Q
H
L
J
L
So,
okay,
this
is
Vinay
here.
Sorry,
that's
a
great
question
then,
and
I've
actually
tried
to
I
wanted
to
bring
this
up
to
this
forum.
At
some
point
and
from
our
day
job
perspective,
one
of
the
things
that
I
do
focus
is
you
know:
deficit
cops,
applying
security
across
the
entire
lifecycle
from
an
application
perspective.
If
you
will
that
mean
involves
the
build,
build
and
deploy
and
runtime
perspective.
L
So
I
do
focus
a
lot
of
my
time
there,
and
this
is
also
very
interesting
and
I've-
put
together
a
reference
architecture
which
I'd
also
like
to
bring
forth
to
this
audience,
to
see
how
we
can
we
can,
from
an
open
source
perspective,
put
together
a
blueprint.
So
from
that
perspective,
I
have
a
lot
of
how
do
you
say,
opinions
and
inputs
from
for
this,
and
if
it's
helpful,
happy
to
contribute
on
this
effort
from
a
vendor
perspective,
for
example,.
L
H
J
Yeah,
so
you
know
it
just
defines
funding
that
you
know
an
individual
who's
incentivized
to
go
out
and
do
that
work?
That's
great.
You
know,
then
you
know
coming
back
and
getting
our
approval
is
that's
gonna
be
extra
political
work
and
you
know
involved,
you
know,
presentation,
maybe
some
creating
issues
and
PRS
and
discussions
on
flack.
That
way
we
build
the
broader
consensus.
You
know
we
aren't
an
individual
to
you
know
advocate.
You
know
we
would
put
the
possible
exception
of
you
know.
J
One
of
the
co-chairs
of
the
tech
leads
to
you
know,
delegate
an
individual
to
operate
on
our
behalf
yeah,
but
if
there
it
is
interesting-
and
you
know
they're,
you
know-
are
it's
a
better
way
for
you
to
get
more
involved
in
security,
and
you
know
that
your
work,
you
know,
I'm
very
open
to
you,
know
establishing
that
that
forum-
and
you
know,
working
with
you
to
you-
know-
to
build
the
consensus
necessary.
So
sick
security
can
get
back
there.
C
Yes,
scented
also
think
this
is
great
and
and
one
area
kind
of
that
I
see
this
abiding
very
well
with
sedan,
skate
stuff
that
we're
working
on
exact.
Really,
you
know
it's
it's
actually
while
you're
talking
about,
but
you
know
that
maybe
a
little
bit
that's
okay
tainted
yeah,
so
so
I
be
keen
to
to
discussed
it
with
you
guys
and
and
figure
something
out,
maybe
have
more
in-depth
discussion
coming
from
a
vendor
myself.
C
We
also
some
opinions.
We've
been
working
with
on
this
for,
like
a
certified
architecture
and
stuff
like
that,
so
I
think
there
could
be
an
interesting
discussion
there
I
think,
let
me
open-
or
if
Tim
you
wanna
open
the
issue
and
then
okay.
We
can
talk
about
that
and
a
great
find
it
valuable
to
have
a
personal
conversation.
We
can
okay.
H
Cool,
did
you
see
my
screen
decent?
My
screen?
Okay,
yes,
I
just
wanted
to
circle
back
to
the
question.
This
is
what
I've
been
given
this
the
team
I'm
on
with
his
dev
SEC
ops,
and
so
you
can
see,
there's
just
it's
it's
it's
it's
it's
broad,
but
not
specific,
and
so
that's
why
I'm
keep
defaulting
I
think
we
need
to
treat
it
just
like
it's
a
it's
a
checklist,
as
someone
else
had.
B
H
C
H
H
C
C
H
So
right
now
it's
still
getting
a
lot
of
these
requirements
or
these
recommendations
pulled
in
most
of
it
was
done
in
March
and
then
nothing's
been
added
on
it.
We
haven't
had
a
check-in
on
the
Status
I
think
they
just
kind
of
leave
that
left
this
open
window
for
people,
to
put
it
the
most
people
put
it
into
March,
and
then
the
goal
is
once
they
do
it.
They
go
on
the
process
of
actually
publishing
it
as
a
a
stig.
H
So
I
don't
know
exactly
where
we
are
in
the
pipeline,
but
I
do
know
that
most
of
the
vendors
already
finished
out
in
March,
and
he
just
left
it
there's
just
an
open
date.
I,
don't
know
what
the
exact
closed
date
is.
I'm
gonna
find
out
when
my
connect
with
them,
but
I've
been
having
technical
issues
with
their
get
lab
right
now.
Well,.
R
You
know
if
this
is
yeah.
I
was
wondering
I
mean.
Is
this
going
to
be
associated
with
the
RMF
or
the
FedRAMP?
In
some
ways,
like
you
know,
Fred
Ron
can
actually
have
a
legitimate
certification
for
the
windows
products.
The
services
is
that
the
intent
for
this
one
I
see
lots
of
vendors
here.
I
didn't.
H
H
Anything
about
about
whether
it's
an
actual
certification,
an
individual
like
vendor,
is
able
to
get
designated
as
I
just
know.
This
is
going
to
help
sort
of
provide
some
standardization
it'll
be
partly
connected
to
FedRAMP
I'm
assuming
and
Jedi,
and
all
these
other
things
and
then
it's
going
to
be
made
available
outside
of
the
Defense
Department
hey.
This
is
what
we
think
as
a
recommendation
enrolled
in
I
think
NIST
specifications
as
well
I,
just
see
it
as
a
specification.
I
could
be
wrong,
but
that's
my
understanding,
they're
having.
H
H
P
Just
about
this
general
topic,
I
guess,
regardless
of
what
we
do
with
it,
it's
this
guy
is
the
thought
leader
nick
is
I.
Don't
really
understand,
cuz
I'm
not
involved
in
it
myself,
who
the
other
ecosystem
around
him
is
or
where
what
DoD
will
do
with
it?
You
know
some
DoD
work
gets
done
and
never
goes
anywhere.
It
still
got
value,
though,
and
some
of
that
gets
spun
off
into
useful
work.
So
you
know
it's
it's
worthwhile
tracking.
What
what
our
official
connection
is?
P
H
Bingo
yeah
yeah,
you
hit
it
exactly
right
and
that's
why
I
wanted
to
get
beyond
just
vendors
I
think
someone
else
noted
they
wanted
more
Foss
representation,
that's
kind
of
what
I
think
when
I
he
wants
that,
and
so
that's
why
I
think
this
is
a
great
opportunity
for
you've
got
a
project
that
you've
been
working
on
or
you
have
some
perspective.
That's
this
is
a
great
time
to
do
exactly
what
Mark
said:
yeah
I.
C
H
Yeah,
if
there
are
things
like
what
I've
done
has
been
going
through
when
I
have
time
to
do
the
landscape
and
see,
oh,
that
seems
interesting
and
then
reach
can't
the
maintainer
x',
but
there's
a
way
to
make
up
pull
versus
a
push
like
you
guys
know.
Other
people
say:
hey
go,
be
part
of
this
slack
channel
get
involved
I.