CMMC Podcasts

We break from speaking with CISOs this week to talk with Nicolas Chaillan, the Chief Software Officer for the US Air Force and the Co-Lead of the DoD Enterprise DevSecOps Initiative. While the CSO isn’t as common a role as the CISO, the challenges remain similar and the impact that work with the DoD is having across the security industry in relation to the CMMC is far reaching. Chaillan offers a unique perspective on innovation in the sector.

Transcript

Erin Keating:

Welcome to NeoCast. Join us each week as we discuss challenges in government contracting, strategies, and solutions for your businesses. We’ll dive into managed IT, cybersecurity, workforce advancement, and much, much more. Sharing is caring and we’ve got top-shelf advice to help you navigate today’s biggest challenges. Let’s get to it.

Erin Keating:

Welcome everybody to NeoCast. The podcast brought to you by NeoSystems. Today we’re actually going to be interviewing an individual who has started a brand new role within the department of defense. Maybe not new for him right now, but one of the first. It is the Chief Software Officer for the air force within the DoD and Nicholas Chaillan. No, I said that wrong.

Nicolas Chaillan

Chaillan.

Erin Keating:

Nicholas Chaillan. Nicholas Chaillan thank you for joining us today. I was wondering if you could maybe help us better understand what your position is within the DoD and how did that position come about?

Nicolas Chaillan

Yes, absolutely. I think it’s actually pretty interesting because when I started I wanted to make sure everything we do is very much lined up with the way we do business on the commercial side. This is where I’m coming from anyway and of course that didn’t happen since the title itself does not even exist on the commercial side but what’s interesting here I think is we have silos of course in DoD and there’s obviously different type of roles already in place, including of course a Chief Data Officer, a Chief Information Officer and a CTO, a Chief Technology Officer but in this case we wanted to have a dedicated person focused on DevSecOps and software and innovation and removing the impediments to be able to help the teams move faster to Agile and DevSecOps.

Nicolas Chaillan

And so really that’s kind of what came to be with the Chief Software Office, which kind of became the central place for the different air force and duty programs to reach out when they have questions, but also to be able to build not only guidance and policy but more importantly technology guidance and actual technology with the different teams that we spun up in the air force to be able to manage DevSecOps services. So each team doesn’t have to reinvent the wheel to build their cloud and their platform as well. So that’s kind of what happened and of course we’re lucky enough to have gone through the acquisition side of the air force where the money is, which helps of course implement all of this.

Erin Keating:

Of course. So out of curiosity are there Chief Software Officers elsewhere within the department of defense or does your role within the air force cover all of the other branches of military?

Nicolas Chaillan

No. So unfortunately I’m the only one yet. I’m hopeful that it’s going to spread. We’ve started seeing some discussions, which is great. I have two titles. I’m the Chief Software Officer for the Air Force and I’m the co-lead for the DevSecOps initiative for all of DoD and that’s a joint team with the DoD CIO and the ANS team at OSD and so I still help DoD wide when it comes to DevSecOps but when it comes to the Chief Software role, this is just for the Air Force.

Erin Keating:

I understand and I did see somewhere maybe another title you hold is the Senior Software Czar? Is that an actual official title or is that just something someone was using to refer to you?

Nicolas Chaillan

Yeah, I guess it’s just a way people used to actually talk about the Chief Software role in the past, Software Czar, we had the Cyber Czar, we have a lot of “czars” apparently. So that’s just a different way of saying the same thing.

Erin Keating:

Understood and so what was the impetus for the department to actually assign a Chief Software Officer? To your point that role doesn’t exist broadly in the private sector nor in the government sector.

Nicolas Chaillan

Well, I think the number one benefit from this is to have a central point of contact for the teams to reach out when it comes to software innovation, DevSecOps, Agile but also I think to start bringing some of the enterprise services that are needed for DevSecOps to exist. The issue when I started is we had so many different teams with all these cool names like Kessel Run, SpaceCAMP, Kobayashi Maru, Level Up and so on. That’s been creating their own stack from scratch, everything in a silo, often in a vacuum where they had no choice but to do that because no one was bringing enterprise Air Force wide DevSecOps capabilities.

Nicolas Chaillan

And the first thing we’ve done is kind of consolidate all of these different efforts in term of the DevSecOps piece of it so the teams could refocus on their mission software and building software for that mission instead of building a platform just so they can build software down the road and so we’re saving time and money and also we’ve benefited from reciprocity across the department now and so self-tracking we were used and shared across teams and so when we equity itself to raise equity DoD wide and so that’s also helpful when it comes to saving the taxpayer money.

Erin Keating:

Yeah, that makes a lot of sense and I read somewhere on the website as well that there’s a lot of benefit to rapid prototyping because you’re able to centralize a lot of these things. Is that something that you found as really useful in trying to decide what software you’re going to be using for the department?

Nicolas Chaillan

Yeah. One of the critical aspect is both on the equitation and also on the building of the custom software both for the commercial software when we want to equity that fast and be able to use the best of the commercial side out there without reinventing the wheel and spending a year or two to equity at it but also on the customization side when we build software to make sure we can seal the quake and timeliness is really critical in today’s day and age and really when you even look at the COVID situation, we’re able to deploy sometimes capably 28 hours from the decision to do it to the deployment in production and that’s something we would never have been able to do, not without DevSecOps at least without taking significant risk when it comes to cyber security, which in this case it’s baked in into the stack.

Erin Keating:

Right. Now that makes a ton of sense. So what types of best practices are you prioritizing within DevSecOps?

Nicolas Chaillan

Well, first is we’re pushing Kubernete and container health and open source capability. So we’re trying to re piggy back you back on what the commercial side is doing. We’re training not to be special. We’re trying to make it clear that yes, the mission of duty is special but the software is not and so we’re reusing a lot of the open source capabilities out there. Containers and Kubernetes which also ensure we don’t get locked into a single company so we have multiple options. We are close agnostic, we can go on premise, we can go on the weapon itself. The software becomes obviously less locked into a single platform and so that enables us to move it wherever it needs to be, whether it’s on classified clouds or on premise or on the different to duty networks and so that is obviously a great way to move fast and be able to deploy globally.

Nicolas Chaillan

But also we have piggy backing on zero trust and a lot of the best cybersecurity best practices when it comes to behavior detection and Agile trust are completely baked into the DevSecOps stack. So that brings us a lot of security. It’s not an after thought, it’s baked in. That’s critical and that enables us to equity contain us DoD wide across classification levels and really be able to assess the risk and share these containers and so we created this capability of a centralized repository of containers that can be consumed and it’s open source. So we’ve released it publicly, which is pretty cool for the duty. So anyone can go and consume these containers and anyone can not only access it, but will also have contracts available, to buy licenses when it’s commercial products and so that streamlined the access to the software.

Nicolas Chaillan

Also the benefit for the startups and companies that want to work with DoD, easier access to being accredited. We’re talking often less than two weeks to equidated container now so they can actually provide their existing containers to us and we can accredit that within two weeks DoD wide, and then anyone can consume it and deploy it in production. So that makes it obviously much easier for companies than having to spend a year to accredit the software and it’s highly automated so that’s obviously more scalable as well.

Erin Keating:

Right. So you are talking a ton about a lot of change, which sounds very exciting but to your point, government and the Department of Defense and even large scale enterprises haven’t always been famous for moving quickly or adapting to change easily. How are you addressing the change management across the department of defense as you implement these things?

Nicolas Chaillan

Yeah, of course there is a culture change here. That’s the number one impediment to any organization moving to DevSecOps. I don’t think that’s specific to DoD, but of course DoD has a massive organization with a lot of silos and a lot of decisions have to be made and sometimes we’re trying to define what has to be manual and what’s has to be automated and of course we trying to automate as much as we can. They use a lot of training and learning that we’re doing at the same time.

Nicolas Chaillan

So we created a self-learning capabilities and training for both the technical side of the house and also the management slash acquisition side of the house, support program management as well, where we need to make sure they understand the benefits of DevSecOps and sometimes even as basic as Agile, we are still very much stuck in waterfall in many organizations and so I’m 20 years old already Agile, but we’re doing the shift straight to DevSecOps, right? And so DevOps is nine, 10 years old, DevSecOps probably four years and so really we are now finally pushing the best of the best and what’s interesting has been the massive adoption because we released the oldest technology open source.

Nicolas Chaillan

We have dozens of teams outside of DoD but also commercial organization including financial sector companies and healthcare as well consuming the technology we’re building and the containers that we’re sharing with the rest of the world and that’s been pretty exciting to see because for once we’ve realized, “Hey, we’re leading the pack here.” You know people always say we are behind but I think people that look at what we’ve built so far would pretty much agree that we’re way, way ahead of the rest of the industry.

Erin Keating:

Absolutely. And you mentioned automation before. In what way is automation playing a role with some of that change management?

Nicolas Chaillan

Well obviously I think the number one fear is that people lose control and you know it’s often a governance problem. It’s the side within DoD that want to make sure they keep the little kingdom often unfortunately and we have to… Sometimes it makes sense, right? Sometimes it is necessary to have this kind of oversight to make sure there’s no abuse of power or issues in term of cyber security or even all that type of governance as well. So some do make sense, some don’t and the key is to find the one that don’t and remove those impediments and those bottlenecks often that slow down the production of software and weapon capabilities as well.

Nicolas Chaillan

So we need to understand that timeliness is key and so if you want to be very safe, you could release software once every a hundred years but I’m not sure that will meet the requirements of the war fighter. So the key aspect here is to be fast but have that baked in security and sell fast but don’t sell twice for the same reason and learn fast, right. So the key is understanding that the learning is critical and allow for that learning to happen and allow for selling fast but not being okay with selling slowly and the costing even more money to the taxpayer.

Erin Keating:

It reminds me of the old phrase of measuring twice and cutting once.

Nicolas Chaillan

Yeah. Absolutely.

Erin Keating:

It’s the updated phrase here that people need to live by. So I’m curious with the cybersecurity maturity model certification coming on, how is your agency working with that type of certification that’s coming on or how’s that better enabling you to do your business?

Nicolas Chaillan

Well you know ANS is obviously working on CMMC. We havE ongoing discussions with the team to try to see how we could address the implementation of CMMC. What is very critical for us is to make sure that while we obviously agree that cybersecurity is critical and that the self assessment is not good enough and we need better than that, we also want to make sure we don’t set the bar so high that only existing DoD companies and partners would be able to continue doing business with DoD and make the ball so high that the new startups and companies will not be able to work with DoD and so that’s going to be even more critical than getting hacked and so we’ll get just behind and slowly but surely the companies will disappear and then you would end up with very few options left as part of the defense initial base and so we already see it with many bids we’re doing where only one or two company can now bid and that is very dangerous, right?

Erin Keating:

Right.

Nicolas Chaillan

For everybody. For the government and also for the companies because we’re not then push to try to do better and innovate and we just get behind and we don’t get the best or the brightest. So I think we all agree that cyber is critical. What we do want to see is the ability to [inaudible 00:14:05], witnessed, to try to see how we could have a single overlay of 853 controls tied to CMMC. So it would make the assessment and the implementation of the cyber controls for companies much more streamlined.

Nicolas Chaillan

Right now they will have to follow about four different publications and then either companies also want to sell know SAS services. They will have to go through FedRAMP on top of it, which is based on this 853 and so now you’re asking companies to follow five different publications, which often means they have to do five assessments because auditors, even though the controls are mapped.

Nicolas Chaillan

They are often not completely the same and by the finishing an auditor will want to reassess and now you end up paying five kind of assessments but on top of it to implement the six is because keeping in mind the assessment is just to know if you’re compliant, it doesn’t make you compliant and so you have to still spend quite a bit of money also to become compliant and to see is if we don’t have a single set of controls and really the standard today is this 853 and we should not re-invent duty specific controls and so that’s our kind of vision here.

Nicolas Chaillan

On CMMC we want to make sure that the 46 control that CMMC created from scratch are now kind of using NIST instead 853, so everyone has the same set of controls to abide by it and it’s just aa matter of implementing this the cybersecurity framework and not having to do something beauty specific, which will only reduce the number of companies that will want to participate in bits even more if mandate CMMC compliance level one before the first bid is won, you can imagine for a company they will probably not want to do that until they at least have a contract in place with one DoD program. So that’s a little scary as well.

Erin Keating:

Yes. Now we’ve had lots of conversations about that, especially because cyber security is such an important thing for all contracting officers to think about any agency that’s actually hiring contractors but to your point if you get too caught up in the cyber security, you may be artificially setting levels higher than what is needed in there for be tamping down on innovation that you might need into the project.

Erin Keating:

So I know that’s always a delicate balance for anyone trying to bring in a company or a supplier is how do you make sure you have the right field of talent if you will, to evaluate without setting too many roadblocks in their way and we’ve been working pretty hard with a lot of industry experts to figure out how do we… At new systems, how do we help educate people on what those roadblocks and boundaries might be?

Nicolas Chaillan

Yeah, I think it is a balance and you know, I think we need to find the right balance and I think ANS has done a great job. You know, Katie has been a great sponsor to push people to think more about cyber and she’s awesome at doing that and she’s very right that we cannot just trust company to self assess. That is just a joke. Right? And then she often with the levels. The five levels is people don’t really understand them very well. They don’t know then the subs. You know, if you have subs, what level should they follow based on the work they’re doing and so then people will just mandate the highest level for everybody to use, which makes the bar pretty high for smaller companies as well and then of course primes have to make sure that their sub is all compliant, which will also create some type of difficult relationship between the primes and the subs.

Nicolas Chaillan

And so the whole thing is a great idea and I think the key is to make the implementation simple and one of the idea we had is providing access to platform one, which is the DevSecOps, the stack that we built in the Air Force as a service to the companies that can then use it to be already compliant and build software on that environment so that way platform one now becomes kind of a government furnished cloud that those teams can use and don’t have to worry about being compliant because they’re already compliant day one, they just get access to it.

Nicolas Chaillan

They will still be a little bit of controls left for them to do on premise for their internal network and simple things like that as device security on how they connect to the cloud, but it would probably be less than 10% of what they have to do and it will be a furnished environment that they can use and so we were looking at options like that to simplify life particularly for the smaller companies that end up getting a cyber as part of their venturous engagement of the [inaudible 00:00:18:47].

Erin Keating:

That’s a really interesting thought and perspective and I’m sure it’s welcomed from a lot of the smaller contractors. I’m curious, given that we’re talking about a lot of private sector organizations and software developers, how do you see a role like Chief Software Officer translating into the private sector and how would you like to shape that?

Nicolas Chaillan

Yeah, I think it depends on the size of the company. I would say on a normal sized company, smaller sized company, that’s probably something that the CIO, CTO would do. It would probably be consolidated into those kinds of titles. For a larger organization I think it does make sense to have someone dedicated to the DevSecOps and software. I think what people don’t realize just yet is how much of an enabler it is to the right DevSecOps stack to enable your teams to build software.

Nicolas Chaillan

So if you’re a company today, you’ve probably built or use some type of software and it’s very likely they have to write software customized as well and if you’re doing it the old fashioned way, you will get behind pretty quickly compared to what China and Russia but also even the startups can do today and so if you want to keep up and be relevant, you probably need to have a DevSecOps stack that’s very, very strong and the way you architect the system is getting more and more complex with containers and Kubernetes and all that kind of stuff and so people have to realize the complexity of that, and it does need some dedicated time and really making sure that it’s prioritized.

Nicolas Chaillan

It’s often seen as a secondary thing that’s not that important but people are missing that. For example, in DoD we save a hundred year program time in one year by using DevSecOps, right? So the hundred planned program time that’s what’s going to happen in the next hundred years is gone thanks to the automation and the DevSecOps pipeline we’ve brought to life for these programs. So an average of 18 months every five year program time per program. So that’s massive and you can imagine that is the difference between keeping up or leading or being behind your competition as well.

Erin Keating:

Well, I’m fascinated by the fact that this position is now there. You had such an interesting career up until this point, so I’m sure you’re going to take the Air Force and the DoD to completely new levels. I know that a lot of our listeners have been keeping a close eye on CMMC as well as what automation has to do with the way they manage their back offices and their systems and software and keeping an eye on what you’re doing in the Air Force and the DoD I’m sure will help them motivate as well as be better at what they’re doing and the decisions they’re making in their large organizations and enterprises. So I really appreciate you taking the time to talk to us a little bit about that. Do you have any parting thoughts that you’d like our audience to hear from you?

Nicolas Chaillan

No. The last thing we want to share is we have this website that we’ve put up software.ar.mail and on that website you’ll find a section on DevSecOps, DevOp as we call it and you’ll find all the documents, containers, architectural designs, everything is open to the world. It’s pretty unique for DoD to be able to open source that kind of stuff. So we’re pretty excited about it. We have a lot of organizations already consuming it, so we’ll love to make sure we get as much feedback as we can. You’ll see there the link to the source code repo to get access to the source code and the containers and all the good stuff. So wanting to make sure people had access to that and get there feedback as well.

Erin Keating:

Absolutely. We’ll be sure that we include that URL in the show notes as well for the podcast. So thank you so much Nicholas. I really appreciate you taking time out. I know that you guys are all very, very busy and specifically in your role and we can’t thank you enough for taking a half an hour out to talk to us.

Nicolas Chaillan

Oh, sure. Thank you for having me.

Erin Keating:

Absolutely.

The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure from software hosting and security solutions to manage accounting services. NeoSystems will custom build solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at neosystems C-O-R-P.com. That’s neosystemscorp.com.

Erin Keating:

Welcome to NeoCast. Join us each week as we discuss challenges in government contracting, strategies, and solutions for your businesses. We’ll dive into managed IT, cybersecurity, workforce advancement, and much, much more. Sharing is caring and we’ve got top-shelf advice to help you navigate today’s biggest challenges. Let’s get to it.

Erin Keating:

Welcome everybody to NeoCast. The podcast brought to you by NeoSystems. Today we’re actually going to be interviewing an individual who has started a brand new role within the department of defense. Maybe not new for him right now, but one of the first. It is the Chief Software Officer for the air force within the DoD and Nicholas Chaillan. No, I said that wrong.

Nicolas Chaillan

Chaillan.

Erin Keating:

Nicholas Chaillan. Nicholas Chaillan thank you for joining us today. I was wondering if you could maybe help us better understand what your position is within the DoD and how did that position come about?

Nicolas Chaillan

Yes, absolutely. I think it’s actually pretty interesting because when I started I wanted to make sure everything we do is very much lined up with the way we do business on the commercial side. This is where I’m coming from anyway and of course that didn’t happen since the title itself does not even exist on the commercial side but what’s interesting here I think is we have silos of course in DoD and there’s obviously different type of roles already in place, including of course a Chief Data Officer, a Chief Information Officer and a CTO, a Chief Technology Officer but in this case we wanted to have a dedicated person focused on DevSecOps and software and innovation and removing the impediments to be able to help the teams move faster to Agile and DevSecOps.

Nicolas Chaillan

And so really that’s kind of what came to be with the Chief Software Office, which kind of became the central place for the different air force and duty programs to reach out when they have questions, but also to be able to build not only guidance and policy but more importantly technology guidance and actual technology with the different teams that we spun up in the air force to be able to manage DevSecOps services. So each team doesn’t have to reinvent the wheel to build their cloud and their platform as well. So that’s kind of what happened and of course we’re lucky enough to have gone through the acquisition side of the air force where the money is, which helps of course implement all of this.

Erin Keating:

Of course. So out of curiosity are there Chief Software Officers elsewhere within the department of defense or does your role within the air force cover all of the other branches of military?

Nicolas Chaillan

No. So unfortunately I’m the only one yet. I’m hopeful that it’s going to spread. We’ve started seeing some discussions, which is great. I have two titles. I’m the Chief Software Officer for the Air Force and I’m the co-lead for the DevSecOps initiative for all of DoD and that’s a joint team with the DoD CIO and the ANS team at OSD and so I still help DoD wide when it comes to DevSecOps but when it comes to the Chief Software role, this is just for the Air Force.

Erin Keating:

I understand and I did see somewhere maybe another title you hold is the Senior Software Czar? Is that an actual official title or is that just something someone was using to refer to you?

Nicolas Chaillan

Yeah, I guess it’s just a way people used to actually talk about the Chief Software role in the past, Software Czar, we had the Cyber Czar, we have a lot of “czars” apparently. So that’s just a different way of saying the same thing.

Erin Keating:

Understood and so what was the impetus for the department to actually assign a Chief Software Officer? To your point that role doesn’t exist broadly in the private sector nor in the government sector.

Nicolas Chaillan

Well, I think the number one benefit from this is to have a central point of contact for the teams to reach out when it comes to software innovation, DevSecOps, Agile but also I think to start bringing some of the enterprise services that are needed for DevSecOps to exist. The issue when I started is we had so many different teams with all these cool names like Kessel Run, SpaceCAMP, Kobayashi Maru, Level Up and so on. That’s been creating their own stack from scratch, everything in a silo, often in a vacuum where they had no choice but to do that because no one was bringing enterprise Air Force wide DevSecOps capabilities.

Nicolas Chaillan

And the first thing we’ve done is kind of consolidate all of these different efforts in term of the DevSecOps piece of it so the teams could refocus on their mission software and building software for that mission instead of building a platform just so they can build software down the road and so we’re saving time and money and also we’ve benefited from reciprocity across the department now and so self-tracking we were used and shared across teams and so when we equity itself to raise equity DoD wide and so that’s also helpful when it comes to saving the taxpayer money.

Erin Keating:

Yeah, that makes a lot of sense and I read somewhere on the website as well that there’s a lot of benefit to rapid prototyping because you’re able to centralize a lot of these things. Is that something that you found as really useful in trying to decide what software you’re going to be using for the department?

Nicolas Chaillan

Yeah. One of the critical aspect is both on the equitation and also on the building of the custom software both for the commercial software when we want to equity that fast and be able to use the best of the commercial side out there without reinventing the wheel and spending a year or two to equity at it but also on the customization side when we build software to make sure we can seal the quake and timeliness is really critical in today’s day and age and really when you even look at the COVID situation, we’re able to deploy sometimes capably 28 hours from the decision to do it to the deployment in production and that’s something we would never have been able to do, not without DevSecOps at least without taking significant risk when it comes to cyber security, which in this case it’s baked in into the stack.

Erin Keating:

Right. Now that makes a ton of sense. So what types of best practices are you prioritizing within DevSecOps?

Nicolas Chaillan

Well, first is we’re pushing Kubernete and container health and open source capability. So we’re trying to re piggy back you back on what the commercial side is doing. We’re training not to be special. We’re trying to make it clear that yes, the mission of duty is special but the software is not and so we’re reusing a lot of the open source capabilities out there. Containers and Kubernetes which also ensure we don’t get locked into a single company so we have multiple options. We are close agnostic, we can go on premise, we can go on the weapon itself. The software becomes obviously less locked into a single platform and so that enables us to move it wherever it needs to be, whether it’s on classified clouds or on premise or on the different to duty networks and so that is obviously a great way to move fast and be able to deploy globally.

Nicolas Chaillan

But also we have piggy backing on zero trust and a lot of the best cybersecurity best practices when it comes to behavior detection and Agile trust are completely baked into the DevSecOps stack. So that brings us a lot of security. It’s not an after thought, it’s baked in. That’s critical and that enables us to equity contain us DoD wide across classification levels and really be able to assess the risk and share these containers and so we created this capability of a centralized repository of containers that can be consumed and it’s open source. So we’ve released it publicly, which is pretty cool for the duty. So anyone can go and consume these containers and anyone can not only access it, but will also have contract [inaudible 00:08:10], to buy licenses when it’s commercial products and so that streamlined the access to the software.

Nicolas Chaillan

Also the benefit for the startups and companies that want to work with DoD, easier access to being accredited. We’re talking often less than two weeks to equidated container now so they can actually provide their existing containers to us and we can accredit that within two weeks DoD wide, and then anyone can consume it and deploy it in production. So that makes it obviously much easier for companies than having to spend a year to accredit the software and it’s highly automated so that’s obviously more scalable as well.

Erin Keating:

Right. So you are talking a ton about a lot of change, which sounds very exciting but to your point, government and the Department of Defense and even large scale enterprises haven’t always been famous for moving quickly or adapting to change easily. How are you addressing the change management across the department of defense as you implement these things?

Nicolas Chaillan

Yeah, of course there is a culture change here. That’s the number one impediment to any organization moving to DevSecOps. I don’t think that’s specific to DoD, but of course DoD has a massive organization with a lot of silos and a lot of decisions have to be made and sometimes we’re trying to define what has to be manual and what’s has to be automated and of course we trying to automate as much as we can. They use a lot of training and learning that we’re doing at the same time.

Nicolas Chaillan

So we created a self-learning capabilities and training for both the technical side of the house and also the management slash acquisition side of the house, support program management as well, where we need to make sure they understand the benefits of DevSecOps and sometimes even as basic as Agile, we are still very much stuck in waterfall in many organizations and so I’m 20 years old already Agile, but we’re doing the shift straight to DevSecOps, right? And so DevOps is nine, 10 years old, DevSecOps probably four years and so really we are now finally pushing the best of the best and what’s interesting has been the massive adoption because we released the oldest technology open source.

Nicolas Chaillan

We have dozens of teams outside of DoD but also commercial organization including financial sector companies and healthcare as well consuming the technology we’re building and the containers that we’re sharing with the rest of the world and that’s been pretty exciting to see because for once we’ve realized, “Hey, we’re leading the pack here.” You know people always say we are behind but I think people that look at what we’ve built so far would pretty much agree that we’re way, way ahead of the rest of the industry.

Erin Keating:

Absolutely. And you mentioned automation before. In what way is automation playing a role with some of that change management?

Nicolas Chaillan

Well obviously I think the number one fear is that people lose control and you know it’s often a governance problem. It’s the side within DoD that want to make sure they keep the little kingdom often unfortunately and we have to… Sometimes it makes sense, right? Sometimes it is necessary to have this kind of oversight to make sure there’s no abuse of power or issues in term of cyber security or even all that type of governance as well. So some do make sense, some don’t and the key is to find the one that don’t and remove those impediments and those bottlenecks often that slow down the production of software and weapon capabilities as well.

Nicolas Chaillan

So we need to understand that timeliness is key and so if you want to be very safe, you could release software once every a hundred years but I’m not sure that will meet the requirements of the war fighter. So the key aspect here is to be fast but have that baked in security and sell fast but don’t sell twice for the same reason and learn fast, right. So the key is understanding that the learning is critical and allow for that learning to happen and allow for selling fast but not being okay with selling slowly and the costing even more money to the taxpayer.

Erin Keating:

It reminds me of the old phrase of measuring twice and cutting once.

Nicolas Chaillan

Yeah. Absolutely.

Erin Keating:

It’s the updated phrase here that people need to live by. So I’m curious with the cybersecurity maturity model certification coming on, how is your agency working with that type of certification that’s coming on or how’s that better enabling you to do your business?

Nicolas Chaillan

Well you know ANS is obviously working on CMMC. We havE ongoing discussions with the team to try to see how we could address the implementation of CMMC. What is very critical for us is to make sure that while we obviously agree that cybersecurity is critical and that the self assessment is not good enough and we need better than that, we also want to make sure we don’t set the bar so high that only existing DoD companies and partners would be able to continue doing business with DoD and make the ball so high that the new startups and companies will not be able to work with DoD and so that’s going to be even more critical than getting hacked and so we’ll get just behind and slowly but surely the companies will disappear and then you would end up with very few options left as part of the defense initial base and so we already see it with many bids we’re doing where only one or two company can now bid and that is very dangerous, right?

Erin Keating:

Right.

Nicolas Chaillan

For everybody. For the government and also for the companies because we’re not then pushed to try to do better and innovate and we just get behind and we don’t get the best or the brightest. So I think we all agree that cyber is critical. What we do want to see is the ability to partner with NIST to try to see how we could have a single overlay of NIST 853 controls tied to CMMC. So it would make the assessment and the implementation of the cyber controls for companies much more streamlined.

Right now they will have to follow about four different publications and then either companies also want to sell know SaaS services. They will have to go through FedRAMP on top of it, which is based on this 853 and so now you’re asking companies to follow five different publications, which often means they have to do five assessments because auditors, even though the controls are mapped.

They are often not completely the same and by the finishing an auditor will want to reassess and now you end up paying five kind of assessments but on top of it to implement the six is because keeping in mind the assessment is just to know if you’re compliant, it doesn’t make you compliant and so you have to still spend quite a bit of money also to become compliant and to see is if we don’t have a single set of controls and really the standard today is NIST 853 and we should not re-invent duty specific controls and so that’s our kind of vision here on CMMC we want to make sure that the 46 control that CMMC created from scratch are now kind of using NIST instead 853, so everyone has the same set of controls to abide by it and it’s just a matter of implementing this the cybersecurity framework and not having to do something beauty specific, which will only reduce the number of companies that will want to participate in bits even more if mandate CMMC compliance level one before the first bid is won, you can imagine for a company they will probably not want to do that until they at least have a contract in place with one DoD program. So that’s a little scary as well.

Erin Keating:

Yes. Now we’ve had lots of conversations about that, especially because cyber security is such an important thing for all contracting officers to think about any agency that’s actually hiring contractors but to your point if you get too caught up in the cyber security, you may be artificially setting levels higher than what is needed in there for be tamping down on innovation that you might need into the project.

Erin Keating:

So I know that’s always a delicate balance for anyone trying to bring in a company or a supplier is how do you make sure you have the right field of talent if you will, to evaluate without setting too many roadblocks in their way and we’ve been working pretty hard with a lot of industry experts to figure out how do we… At new systems, how do we help educate people on what those roadblocks and boundaries might be?

Nicolas Chaillan

Yeah, I think it is a balance and you know, I think we need to find the right balance and I think ANS has done a great job. You know, Katie has been a great sponsor to push people to think more about cyber and she’s awesome at doing that and she’s very right that we cannot just trust company to self assess. That is just a joke. Right? And then she often with the levels. The five levels is people don’t really understand them very well. They don’t know then the subs. You know, if you have subs, what level should they follow based on the work they’re doing and so then people will just mandate the highest level for everybody to use, which makes the bar pretty high for smaller companies as well and then of course primes have to make sure that their sub is all compliant, which will also create some type of difficult relationship between the primes and the subs.

Nicolas Chaillan

And so the whole thing is a great idea and I think the key is to make the implementation simple and one of the idea we had is providing access to platform one, which is the DevSecOps, the stack that we built in the Air Force as a service to the companies that can then use it to be already compliant and build software on that environment so that way platform one now becomes kind of a government furnished cloud that those teams can use and don’t have to worry about being compliant because they’re already compliant day one, they just get access to it.

Nicolas Chaillan

They will still be a little bit of controls left for them to do on premise for their internal network and simple things like that as device security on how they connect to the cloud, but it would probably be less than 10% of what they have to do and it will be a furnished environment that they can use and so we were looking at options like that to simplify life particularly for the smaller companies that end up getting a cyber as part of their venturous engagement of the [inaudible 00:00:18:47].

Erin Keating:

That’s a really interesting thought and perspective and I’m sure it’s welcomed from a lot of the smaller contractors. I’m curious, given that we’re talking about a lot of private sector organizations and software developers, how do you see a role like Chief Software Officer translating into the private sector and how would you like to shape that?

Nicolas Chaillan

Yeah, I think it depends on the size of the company. I would say on a normal sized company, smaller sized company, that’s probably something that the CIO, CTO would do. It would probably be consolidated into those kinds of titles. For a larger organization I think it does make sense to have someone dedicated to the DevSecOps and software. I think what people don’t realize just yet is how much of an enabler it is to the right DevSecOps stack to enable your teams to build software.

Nicolas Chaillan

So if you’re a company today, you’ve probably built or use some type of software and it’s very likely they have to write software customized as well and if you’re doing it the old fashioned way, you will get behind pretty quickly compared to what China and Russia but also even the startups can do today and so if you want to keep up and be relevant, you probably need to have a DevSecOps stack that’s very, very strong and the way you architect the system is getting more and more complex with containers and Kubernetes and all that kind of stuff and so people have to realize the complexity of that, and it does need some dedicated time and really making sure that it’s prioritized.

Nicolas Chaillan

It’s often seen as a secondary thing that’s not that important but people are missing that. For example, in DoD we save a hundred year program time in one year by using DevSecOps, right? So the hundred planned program time that’s what’s going to happen in the next hundred years is gone thanks to the automation and the DevSecOps pipeline we’ve brought to life for these programs. So an average of 18 months every five year program time per program. So that’s massive and you can imagine that is the difference between keeping up or leading or being behind your competition as well.

Erin Keating:

Well, I’m fascinated by the fact that this position is now there. You had such an interesting career up until this point, so I’m sure you’re going to take the Air Force and the DoD to completely new levels. I know that a lot of our listeners have been keeping a close eye on CMMC as well as what automation has to do with the way they manage their back offices and their systems and software and keeping an eye on what you’re doing in the Air Force and the DoD I’m sure will help them motivate as well as be better at what they’re doing and the decisions they’re making in their large organizations and enterprises. So I really appreciate you taking the time to talk to us a little bit about that. Do you have any parting thoughts that you’d like our audience to hear from you?

Nicolas Chaillan

No. The last thing we want to share is we have this website that we’ve put up software.ar.mail and on that website you’ll find a section on DevSecOps, DevOp as we call it and you’ll find all the documents, containers, architectural designs, everything is open to the world. It’s pretty unique for DoD to be able to open source that kind of stuff. So we’re pretty excited about it. We have a lot of organizations already consuming it, so we’ll love to make sure we get as much feedback as we can. You’ll see there the link to the source code repo to get access to the source code and the containers and all the good stuff. So wanting to make sure people had access to that and get there feedback as well.

Erin Keating:

Absolutely. We’ll be sure that we include that URL in the show notes as well for the podcast. So thank you so much Nicholas. I really appreciate you taking time out. I know that you guys are all very, very busy and specifically in your role and we can’t thank you enough for taking a half an hour out to talk to us.

Nicolas Chaillan

Oh, sure. Thank you for having me.

Erin Keating:

Absolutely.

The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors? Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure from software hosting and security solutions to manage accounting services. NeoSystems will custom build solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at neosystems C-O-R-P.com. That’s neosystemscorp.com.