►
From YouTube: OpenShift Commons .Gov SIG #1: FISMA Compliance for OCP
Description
Synopsis:
Any deployment of OpenShift on networks owned by the US federal government, including those owned by the Department of Defense and Intelligence Community, is required to be compliant with FISMA [0] security standards. Making OpenShift Container Platform 3.3 FISMA compliant is easier than ever with the OpenShift Compliance Guide [1].
We’ll discuss how the guide was developed, how we think we can meet the criteria for FISMA High, challenges we encountered, and how the community can contribute.
[0] – https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002
[1] – http://openshift-compliance-guide.readthedocs.io/en/latest/
.Gov SIG Co-chairs are Todd Wilson,(BC .Gov) and John Osbourne (Red Hat)
A
A
So
we're
really
pleased
today
to
have
Jason
Callaway
who's
been
working
on
the
open
shift
compliance
guide
and
has
been
working
with
a
number
of
customers
and
deployments
in
the
federal
government
sector
on
fisma
compliance
and
who's
going
to
share
with
us
the
work
that
they've
done
to
create
the
compliance
guide
and
open
up
a
conversation
with
the
rest
of
you
about
may
be
contributing
to
that.
So
without
any
further
ado,
Jason
take
it
away.
Awesome.
B
Thank
you
very
much
all
right,
so,
let's
just
dive
in
you
know
normally
when
I
think
about
compliance.
The
first
thing
that
comes
to
mind
his
driver's
licenses
and
sitting
in
a
DMV,
because
it
that
is
also
sort
of
a
form
of
a
risk
management
framework,
and
it
it's
a
useful
analogy
because
none
of
us
like
pit,
none
of
us
really
like
going
to
the
DMV.
But
at
the
same
time
I
don't
think
our
lives
get
better
by
getting
rid
of
driver's
licenses
and
just
letting
anybody
do
it.
B
So
it's
sort
of
an
unpleasant
thing,
but
a
necessary
thing,
and
with
it's
a
little
bit
more
than
that
for
those
of
us
that
work
with
the
US
government,
because
it's
actually
the
law
there's.
This
thing
called
fisma
that
came
in
this
government
act
in
2002.
So
you
can
actually
look
that
up
and
find
it
in
the
united
states
code
and
it
has
sort
of
a
spaghetti
chart
of
implications.
So
FISMA
has
been
amended
a
bunch
of
times
from
the
original
act
that
was
passed
in
2002.
B
B
B
Well,
that's
been
tested,
ok
and
then
pips
199
itself
describes
how
to
actually
implement
that
risk
framework.
The
security
controls
that
get
implemented
come
from
this
monster
document
called
853
in
a
special
publication
800-53
and
that's
got
a
total
of
about
1,500
individual
security
controls,
and
then
there
are
some
other
guides
that
you
might
have
to
comply
with,
such
as
fips
140-2.
That
does
a
lot
with
which
crypto
algorithms
you're
able
to
use,
and
it
has
a
certification
process,
and
we
can
talk
about
how
Red
Hat
technologies
comply
with
that.
B
The
the
way
that
you
typically
automate
these
things
is
with
an
umbrella
of
technologies
for
missed,
called
s
capped
for
the
security
content,
automation
protocol.
We
have
an
open
source
implementation
of
many
of
those
standards
that
come
from
open
s.
Cap.
We
have
another
project,
called
the
s
cap
security
guide
that
has
a
bunch
of
X
ccdf
profiles
to
implement
things
like
the
stig,
which
is
itself
an
interesting
bit
of
dependencies
there.
B
So
the
SSG
actually
is
upstream
of
the
US
government
configuration
baseline
us
gcp,
which
informs
the
stig
that
is
published
by
DISA
and
that's
a
coordination
effort
with
several
different
agencies
there.
If
you're
working
in
DoD
or
in
the
intelligence
community,
there
are
still
separate
authorities
that
you
have
to
worry
about
and
then
there's
the
the
terminology.
That's
changing
what
we
used
to
call
it:
the
certification,
an
accreditation
process
that
that
documents
been
deprecated
in
favor
of
a
new
risk
management
framework.
B
B
You
down
select
that
to
the
ones
that
apply
to
you,
because
there
are
numerous
non-technical
controls
in
here
and
NIST
deliberately
did
not
label
controls
as
technical
or
non-technical,
because,
depending
on
your
project,
you
may
have
a
technical
relay
of
implementing
that
and
you
might
not
so
it's
designed
to
be
very
flexible,
but
the
implication
of
that
is
that
it
puts
more
work
on
the
end
user.
Who
is
actually
writing
the
system
security
plan
and
taking
that
body
of
evidence
through
the
A&A
process?
B
Gosh
I
apologize
about
the
phone
there,
okay,
so
I'm
moving
on,
we
have
published
this
open
shift.
Compliance
guide
that
is
sort
of
this
is
sort
of
in
very
new
effort,
and
it's
not
it's
not
typically
done
normally
and
in
fact,
if
you
look
at
the
the
FedRAMP
document,
which
is
sort
of
around
good
for
you,
I'm
very
sorry
hang
on.
B
So,
while
this
is
sometimes
done
in
sort
of
a
sensitive
environment
where
the
body
of
evidence
itself
may
be
may
be
classified
or
just
or
just
sensitive,
we've
taken
those
things
that
we're
able
to
share
we've
open
sourced
it,
and
we
put
it
out
in
sort
of
a
framework
that
we
think
will
be
a
little
bit
easier
to
to
scale
and
collaborate.
We
call
that
the
open
shift
compliance
guide-
this
is
actually
posted
off
of
github.
B
The
the
visual
interface
here
is
done
with
something
called
read:
the
docs,
which
is
really
cool
tool
that
we
can
dive
into
a
little
bit
more
and
let's
sort
of
breakdown.
What
we
have
in
these
different
sections
here,
the
reference
architecture,
is
really
important
and
when
you're
going
through
the
AAA
process,
one
of
the
kind
of
primary
things
that
you
have
to
get
through
is
just
educating
your
creditors
on
what
it
is
that
you're
trying
to
do,
and
particularly
with
new
technologies
like
containerization.
That
can
be
a
challenge.
B
You
know
we
went
through
this
whole
thing
once
before
with
virtualization,
and
there
were
many
sort
of
learning
curve
moments
there
where
previously,
but
before
that,
every
single
information
system,
as
an
example,
was
physical
and
had
a
barcode
on
it,
an
asset
tag
and
could
be
tracked
as
an
asset.
So
once
virtualization
became
a
thing
that
was
impossible
to
put
a
physical
barcode
on
a
virtual
machine
that
tripped
up
a
lot
of
pee
in
that
older
CNA
process.
B
B
In
that
spreadsheet
we
identify
who
is
responsible
for
implementing
a
particular
control.
So
in
some
cases
it
might
be
a
physical
access
control
and
non-technical
control
that
we
sometimes
refer
to
as
the
guys
with
guns
controls.
So
that's
going
to
be
your
physical
security
officers.
There
being
sure
that
only
authorized
people
are
actually
able
to
get
into
the
building
where
your
information
systems
are
hosted.
Typically,
you
know
that's
not
an
open
ship
thing
that
that's
somebody
else.
So
there
are
different
roles
of
people
who
implement
these
things.
B
We
did
this
based
on
amazon
web
services,
because
that's
where
we've
done
a
number
of
these
openshift
three
deployments
now
and
it's
it's
what
we
knew
it
doesn't
need
amazon.
This
could
work
on
any
infrastructure
and
because
openshift
runs
on
top
of
rel
and
uses
doctor
and
cumin
a
tease.
All
it
requires
is
rel,
so
that
means
we
could
be
doing
this
on
vmware.
It
could
be
on
top
of
OpenStack
asher.
Now
so
there's
very
many
options.
It's
just
that
for
this
one
we
happen
to
use
amazon
as
a
reference
architecture.
B
We
would
like
to
generalize
that,
but
we
didn't
have
the
time
to
make
it
really
general,
so
we
stuck
with
what
we
knew,
so
we
have
here
a
very
conceptual
diagram
of
all
the
different
components
that
go
into
this.
So
this
is
something
handy
that
you
can
give
to
your
crediting
engineers
to
kind
of
review
what
that
architecture
looks
like,
and
then
we
have
a
more
kind
of
a
more
abstract
view
here
of
the
different
system
types
and
how
those
interact.
B
All
this
is
in
the
the
compliance
guide
by
the
way,
but
I
thought
it
might
be
a
little
bit
easier
to
go
through
slides.
So
this
one
is
this:
one
is
a
pretty
important
one.
A
lot
of
times,
you'll
spend
a
considerable
amount
of
effort
documenting
the
data
flows
that
go
into
your
whole
project.
That's
done
for
you
here
down
to
the
port
level
and
identifying
which
which
system
types
require
different
ports
and
how
that
data
flow
works.
B
We
also
have
a
conceptual
diagram
of
how
the
build
process
goes
for
when
you
actually
spin
up
a
nap,
and
this
this
becomes
really
important
when
you're
dealing
with
folks
that
might
not
be
familiar
with
open
shift
or
just
straight
up
might
not
be
familiar
with.
How
docker
and
open
container
image
format
works
so
being
able
to
show
them
this
and
how
you
take
application
code
from
a
git
repo
and
then
that
gets
pulled
into
our
source
to
image
or
s2
I
process.
B
Now
when
it
comes
to
how
you
actually
implement
fisma
compliance,
there
are
baseline
controls
around
what
we
call
the
CIA
triad,
and
it
doesn't
mean
typically
what
you
think.
It
means
it's
not
in
this
case,
referring
to
the
Central
Intelligence
Agency,
but
rather
three
different
types
of
areas
of
concern
around
confidentiality,
integrity
and
availability.
Each
one
of
those
has
a
baseline,
low,
moderate
and
high
setting,
and
we
designed
this
guide
to
help
you
achieve
the
FISMA
high
deployment.
B
Now,
as
you
might
imagine,
on
having
high
ratings
for
confidentiality,
integrity
and
availability
is
more
difficult
to
achieve
than
simply
a
moderate
setting,
and
one
of
the
things
that
you
have
to
worry
about
at
high
is
encryption
at
rest
and
in
transit
of
your
storage.
So
this
became
sort
of
a
more
complicated
thing
than
we
thought
it
would
be
when
we
set
out
to
do
this
work
because
one
of
the
things
that
openshift
offers
you
is
persistent,
persistent
storage
through
the
the
PV
and
persistent
volume
and
persistent
volume
claim
processing
within
kubin
eighties.
B
So
how
do
you
scale
that?
And
how
do
you
get
encryption
at
rest
and
in
transit
there?
And
there
were
a
number
of
ways
that
we
could
have
hacked
this
and
we
ended
up
deciding
on
this
architecture,
because
it
gave
us
the
best
balance
of
bang
for
your
buck
with
your
underlying
compute
resources,
in
this
case
amazon,
EBS
volumes,
and
then
where
we
were
actually
doing
the
lux
encryption
and
a
one?
More
note
here
on,
we
wanted
to
use
lux
because
it
comes
out
of
the
box
with
rel
on
it's
a
free
to
use
tool.
B
B
A
B
A
great
question
we
I
don't
think
we
have
that
documented,
but
that's
something
that
we
should
capture.
So
this
brings
up
an
excellent
point
when,
when
you're
looking
at
this
guide-
and
if
you
find
that
it
doesn't
have
something
that
you
would
find
to
be
useful
when
you're
going
through
that
the
you're
a
in
a
process,
let's
just
open
an
issue
on
on
github.
You
know
this
is
an
open
source
project
and
we
have
the
opportunity
to
collaborate
here.
B
A
It's
a
deal,
the
only
other
question
so
far
is
they
were
looking
for
labels
for
each
of
the
slides
for
there,
but
I
was
going
to
say
is:
if
you
go
to
the
open
shift
compliance
guide,
read
the
docs
page
that
the
URL
is
in
there.
You
can
find
almost
all
of
these
images
that
he's
using
in
that
I
think
for
all
of
them
are
in
that
guide
at
some
point
and
I'll
try
and
cross-reference
them.
A
B
Sure
do
so
if
you
use
our
tiny
URL
that
we
have
back
here
earlier
on
OC
PCG
for
open
shift,
container
platform
compliance
guide
in
the
upper
right
there,
there's
an
edit
on
github
link.
So
that'll
take
you
directly
to
the
page
44
that
that
particular
section
that
you're
looking
at
and
then
anywhere
from
there.
You
can
just
click
on
the
issues
tab
to
be
brought
to
that.
A
B
Excellent,
he
can
you
say
so,
given
the
guide
as
it
stands
today,
this
is
the
breakdown
of
controls
and
who's
responsible
for
what
so
of
the
total
of
about
1500
controls
in
853,
we
find
that
about
660
of
those
are
technical
controls,
or
at
least
controls
that
may
be
of
interest
to
an
accreditor
who's
going
through
your
body
of
evidence,
in
some
cases
like
what
the
guys
with
gun
controls.
Typically,
they
don't
even
bring
that
up.
So
that's
that
might
not
even
be
of
interest,
but
for
other
things
like.
B
Passwords
on
on
the
bios
for
the
underlying
host
system
that
will
fall
into
you
know
whatever
I
as
you're
using
so
in
this
case
we're
using
Amazon
ec2,
that's
something
that
they
handle
and
they
probably
have
their
own
SSP.
For
that.
So
we
hand
that
off
we
inherit
back
control.
So
this
is
the
breakdown.
B
The
security
control
section
we're
missing
some
things
and
we've
got
a
couple
janky
workarounds
right
now.
Ultimately,
they
need
to
become
our
FES
and
get
up
streamed
into
open
storage
and
make
it
into
the
enterprise
grade
product
on
the
way
that
we
work
around.
Some
of
these
things
is
sometimes,
as
I
said,
a
little
bit
weird.
One
example
would
be
the
way
that
we
do
security
banners,
so
there's
no
easy
way
in
the
open
shift
tool
right
now
to
add
some
kind
of
security.
B
Banner
saying,
like
you,
know,
secret
classification
at
the
top
of
it,
the
way
that
we
get
around,
that
is,
we
just
wrap
the
web
console
and
a
little
bit
of
JavaScript
ads
like
a
10
pixel
banner
at
the
top
that
has
the
proper
color
and
the
right
stuff
in
it,
and
then
we
resize
an
iframe
to
actually
hold
all
of
the
the
reel
web
console
in
this
particular
case.
We
have
this
already
written
and
we're
going
through
a
downgrade
process
to
be
able
to
make
that
unclassified
and
put
that
into
the
compliance
guide
itself.
B
B
They
have
a
their
own
set
of
click
through.
So
we
found
that
we're
typically
able
to
inherit
that
control.
That's
another
thing
that
is
not
well
documented
in
the
guy
get
and
is
something
that
we
have
to
go
through
and
make
a
little
bit
bit
more
explicit.
So
there's
a
number
of
places
where
we
have
the
opportunity
to
collaborate
here
with
the
community
and
get
that
discussion
rolling.
B
The
customer
responsibility
matrix
like
it
was
saying
earlier,
is
of
interest
to
open
shift
consumers
and
there's
a
couple
different
sort
of
use.
Cases
for
this
guide.
One
would
be
where
you're
hosting
your
own
open,
shipped
environment.
So
you
host
you
host
it,
you
run
it
and
then
you
consume
the
services.
So
in
that
case
I
the
group
going
through
that
any
process
would
be
responsible
for
both
the
landlord
and
the
tenant
set
of
controls.
B
That,
then,
would
be
the
control
are
a
three
which
is
the
risk
assessment.
You
have
to
do
that
on
a
per
on
sort
of
a
program
basis.
So
this
is
this
actually
brings
up.
An
interesting
frequently
asked
question
which
is:
does
this
guide
mean
that
openshift
is
accredited
out
of
the
box?
That's
that's
a
no!
You
can
never
pre
a
credit
software.
B
What
we're
trying
to
do
with
this
is
lower
the
barriers
to
entry
to
get
to
that
accreditation
and
we're
going
to
get
better
at
that
over
time,
but
it
shouldn't
be
thought
of
as
I
hand.
This
guide
in
and
that,
and
that
means
that
we're
this
product
itself
comes
pre
accredited.
Somehow,
that's
just
not
the
way
it
works.
B
A
B
A
B
Yeah
we
all
get
to
that
when
we,
when
we
get
to
the
end
I've
got
a
couple
other
facts
that
we
can
get
through
so
with
the
ansible
stuff,
we're
trying
to
automate
as
much
of
this
as
possible
and
make
it
repeatable,
and
this
further
lowers
those
barriers
to
becoming
accredited.
When
you
do
this
yourself,
this
is
sort
of
a
just,
a
temporary
placeholder.
B
Until
we
get
this
to
a
more
permanent
location,
but
on
ansible
galaxy
we
have
an
org
that
sort
of
a
roll
up
of
many
of
our
standard
roles
that
we've
used
to
implement
these
things.
Just
a
quick
overview.
Ansible
is
a
sort
of
a
python
and
yamo
based
configuration
management
and
automation
framework,
and
it's
very
very
easy
to
use.
You
just
write
these
amel
playbooks
that
describe
what
it
is
that
you're
trying
to
do.
B
Its
deployment
mechanism
uses
ansible
so
with
with
ansible
itself,
roles,
give
you
sort
of
a
pluggable
way
of
taking
a
set
of
play,
books
and
all
of
their
associated
variables
and
even
libraries
that
they
require
and
make
it
easy
to
plug
those
in
to
the
playbook
that
your
writing.
So
we've
broken.
Many
of
these
things
up
intervals
like
the
853
roll,
for
example,
implements
many
of
those
controls
at
like
a
rail
level
that
you
have
to
get
through
in
order
to
be
compliant
with
all
the
controls
that
you
see
in
this
guide.
B
That's
just
sort
of
nice
to
have,
and
it's
non-official
the
official
way
to
scan
for
and
we're
working
on
the
implementation
side
there.
That
is
with
open
s.
Cap
in
the
s
cap
security
guide,
we
we
publish
a
lot
of
that
stuff
and
and
sean
is
very,
very
plugged
into
that,
and
I'm
sure
would
be
happy
to
talk
in
depth
about
any
s,
cap
stuff
or
s,
cap
security
guard
stuff,
which
might
even
be
an
appropriate
follow-up
briefing
for
the
next
time.
We
do
this
stuff,
so
the
853
roll
is
there.
B
The
link
will
be
in
the
slides
for
when
we
send
that
out,
if
you'd
like
to
play
with
it,
that's
broken
up
in
such
a
way
that
it's
kind
of
easy
for
admins
to
understand,
what's
going
on
and
then
and
then
make
some
changes.
So
this
is
an
example
of
some
of
the
default
variables
that
are
set
in
this
role
and
we
deliberately
made
it
sort
of
admin
centric
as
opposed
to
compliance
centric.
B
So
as
an
example,
if
you
look
at
line
12
there
with
the
shared
library
path,
that's
very
obvious
what
it's
talking
about!
It
doesn't
tie
that
back
to
something
arcane
control
that
then
you've
gotta
dig
for
to
see
what
that
means.
So
this
makes
it
a
little
bit
easier
to
achieve
that
accreditation
to
implement
those
controls.
B
So
that's
that's
part
of
how
we've
been
doing
this
here's
another
here's
another
example:
we've
broken
the
different
tasks
down
into
control
family,
so
in
the
access
control
one
you
can
see
here
in
enable
selinux
control
and
then
which
will
play
and
then
which
controls
there's
actually
tie
back
to
that
one
of
the
nice
things
about
this
design
is
using
the
tags
system.
You
can
specify
by
CIA
low,
moderate
or
high
what
controls
you
actually
want
to
implement.
B
B
All
of
this
goes
into
sort
of
a
larger
effort
that
we've
been
going
through
to
create
a
way
to
make
it
really
easy
to
reproduce
fully
disconnected
deployments
of
open
shift.
So
what
is
disconnected
me
in
this
context,
when
you,
when
you
typically
deploy
open
shift
on
a
system
that
has
connectivity
to
the
Internet
you've,
got
a
lot
of
resources,
they're
available
to
you
that
you
might
not
have
in
a
fully
air-gapped
environment?
You
can
register
your
system
with
the
Red
Hat
content
delivery
network.
B
You
can
pull
your
your
rpms
down
simply
by
enabling
those
repos
and
running
the
the
various
prerequisite
commands
and
then
the
deployment
hensel
playbook
you.
If
you
have
to
pull
down
any
of
additional
docker
images
that
that
you
might
not
have
locally,
you
can
go
out
and
get
those
from
the
Red
Hat
registry
or
from
some
other
registry.
Doing
these
things
when
you
have
no
ability
to
hit
the
internet
on,
makes
a
deployment
very,
very
challenging.
B
B
If,
if
we
were
to
describe
the
the
compliance
guide-
and
this
is
not-
none
of
this
is
actually
official
so,
but
if
we
were
to
think
of
the
compliance
guy
to
sort
of
being
at
a
beta
degree
of
maturity,
this
open
ship,
disconnected
effort
would
still
sort
of
be
an
alpha.
There
are
a
couple
issues
that
we
have
not
quite
track
down
yet
just
due
to
time
constraint
around
the
deployment,
not
completing,
particularly
like
with
the
hea
proxy
load
balancers.
B
So
we
have
some
opportunity
for
collaboration
and
improvement
there,
but
in
the
long
term,
I
think
this
is
going
to
be
one
of
the
easier
ways
to
actually
achieve
those
disconnected
deployments.
We've
got
a
couple
typical
questions
that
I
want
to
hit,
but
before
we
move
on
any
questions
about
the
ansible
stuff.
B
Absolutely
yes,
so
the
goal
for
all
of
these
so
hope
that
that
segues
nicely.
So
these
are
the
four
most
common
questions
that
I
encounter
when
when
talking
about
this
stuff-
and
you
know,
is
it
official
and
the
answer
is
not
yet.
This
is
something
that
was
born
out
of
the
public
sector
group
within
Red.
B
Hat
sort
of
it
came
from
the
field
with
a
lot
of
deployments
that
we've
done
we're
trying
to
sort
of
get
it
to
a
point
where
it
other
people
are
going
to
be
able
to
understand
it
and
then
like
we're
doing
now,
we're
sort
of
opening
that
up
more
to
the
community
so
that
we
can
get
it
to
a
usable
state
and
get
that
incorporated
upstream.
So
our
goal
would
be
to
get
this.
B
Compliance
guide
hosted
off
of
the
official
docs
openshift
calm
and
docs
redhat
com
sites,
but
it's
not
official
yet
and
there's
a
lot
of
work
that
we
need
to
do
to
be
able
to
get
there.
Nor
is
it
complete,
weichert
saying
earlier
we're
missing
many
different
implementations,
such
as
the
the
security
banner
and
we
as
a
community
sort
of
need
to
decide
how
we
want
to
approach
that.
B
Do
we
want
to
continue
with
that
janky
JavaScript
or
no,
probably
not
we
probably
want
to
get
our
Fe
is
open
so
that
it's
a
parameterised
value
within
the
open
ship
tool
itself,
where
you
can
specify
I
want
to
have
a
banner
of
this
high
in
color.
With
this
content
on,
and
one
thing
to
always
bear
in
mind-
is
no
matter
how
official
or
accurate
we
can
make
this
guide
it
never
ever
makes
openshift
accredited.
You
know
air
quote
out
of
the
box.
You
have
to
have
a
sponsor
program.
B
You
have
to
have
your
own
system
security
plan
and
your
full
body
of
evidence
that
you
put
through
that
a
a
process.
It
is
a
per
program,
/
effort,
type
thing
that
simply
cannot
be
generalized
at
the
product
level,
but
what
we
can
do
is
help
help
you
get
through
that
more
quickly
and
help
you
educate
your
creditors
so
that
they're
more
comfortable
getting
through
that-
and
we
wanted
to
do
this
in
an
open-source
way
because
we're
one
hundred
percent
open-source
company.
B
If,
like
we're
saying
earlier
with
the
FedRAMP
SSP
template,
it
comes
pre-populated
with
headers
and
footers
that
say
a
company,
proprietary,
trade,
secret
type
stuff
and
typically
that's
how
this
type
of
data
is
a
pro
is
handled.
A
company
might
put
some
effort
into
making
it
easier
to
get
through
accreditation,
but
that
then
becomes
some
more
secret
sauce
to
entice
you
to
use
that
product.
That's
just
not
how
red
head
rolls
we
wanted
to
do
this
in
a
fully
open
source
way
and
I
think
everybody's
going
to
benefit
from
that.
Any
other
questions.
A
C
As
the
example
we
ship
government
paper
like
the
accreditation
paperwork,
so
all
of
the
control
mappings
Jason's
showed
that
spreadsheet
thing
all
of
the
implementation
guidance
and
the
idea
is
to
start
going
through
regulated
baselines
like
the
Stig,
which
is
for
DoD
bhisma,
which
is
largely
for
civilian
and
actually
should
govern.
Government
ready
deployments
or
government
ready
reference,
architectures
and
kind
of
what
Jason's
done
is
set
us
up
for
success.
To
do
that.
Broken
shift.
B
Hank
you're
not,
but
thank
you
very
much
for
the
opportunity
to
share
this
and
I'm
really
looking
forward
to
more
community
involvement.
Here.
We've
already
had
a
couple
folks
from
some
of
our
agencies
provide
a
little
bit
here
and
there,
but
we,
when
we
approach
this
in
the
open
source
way,
I
think
it's
going
to
make
this
easier
for
everybody.
Yeah.
A
Well,
I
also
liked
your
suggestion
that
maybe
having
I'm
a
follow
up
on
open
scaff
would
be
a
good
thing
as
well
Plus
once
we
get
this
up
and
out
onto
the
blog
site,
and
other
people
want
to
put
comments
on
it.
If
you
want
to
post
another
one
to
review
the
issues
list
and
have
a
conversation
about
that
as
part
of
the
open
ship,
Commons
deltasig
I'd
be
happy
to
do
that.
To
help
drive
drive
through
this
in
that
and
that
show
you
can
get
some
community
feedback
on
it.
A
So
if
anyone
is
on
this
call
that
it
has
burger
things
that
they'd
like
to
see
in
this
guide,
please
do
pull
an
issue
or
contribute
something,
make
a
pull
request
and
create
the
content
and
we'll
try
and
get
that
out
there
and
into
this
guide
as
well,
and
give
you
a
place
to
have
conversations
about
it
here
in
the
Gulf
sig
and
looking
to
see.
If
there's
any
more
questions,
if
you
enter
them
into
the
chat,
we
hopefully
Jonathan's
saying
that,
hopefully
he
can
contribute
to
it
in
the
future.
A
We
will
you
all
will
too
so
Jason.
It
doesn't
look
like
there's
any
more
questions
and
Sean.
Thank
you
very
much
for
doing
this
session.
It's
hopefully
this
work
will
get
incorporated
into
the
product
management
workflow
and
get
out
there
in
a
relatively
short
time.
So,
thanks
again,
Jason
and
I
look
forward
to
having
you
guys
on
again.
Did
you
open
staff.