Leveraging Partnerships to Accelerate Accreditation
Summary:
Join Mamie Cruse, Josh Dries, and Paul Bockelman in a compelling discussion on the transformative power of partnerships in accelerating accreditation, particularly within the public sector. This conversation delves into Google Public Sector's innovative approaches, Second Front's Game Warden product, and their collective efforts in streamlining the path for SaaS companies to efficiently serve government needs. Discover how these collaborations are redefining the journey towards rapid accreditation, ensuring cutting-edge technology swiftly reaches the hands of those serving critical missions.
Transcript:
Mamie Cruse (00:18):
So we're going to be talking today about kind of the power of partnerships when it comes to accelerating accreditation. So I wanted to start by, well first, Josh, making sure that you feel ready to kind of start, because I know-
Josh Dries (00:32):
I'm comfortable.
Mamie Cruse (00:33):
... this morning I had breakfast with Josh and Paul and Josh said to the waiter, "Can I do the buffet? But can you bring it to me on a plate?" and he wasn't joking.
Josh Dries (00:46):
That’s the way it played out. So I'm ready.
Mamie Cruse (00:49):
So you seem much better now.
Josh Dries (00:51):
I am. I'm good.
Mamie Cruse (00:52):
Awesome. So let's start with a round of intros starting with Paul. And then I want to cover just who Second Front is.
Paul Bockelman (00:59):
Sure.
Mamie Cruse (01:01):
What we do and then our partnership, and then we'll dive into the nitty gritty. So go ahead Paul.
Paul Bockelman (01:04):
Thanks Mamie. Hi everyone. Paul Bockelman, Director of Technology in our solutions team within Google Public Sector. So what is that? Well, there was a need a year ago, I joined Google. Prior to that, it was nine years at AWS where I helped start the DoD team that is now what's up and running there. And so when I joined Google, I came specifically with that experience and said, "Hey, how can we redefine the relationship with government and our partners?" And specifically from a partnership perspective, he used to always say, "Partners will trust us with their data but not their secrets." And so I said, "Got to change that. It's got to be a new paradigm." So with the birth of Google Public Sector as a new company, it was an opportunity for us to rewrite the book.
(01:57):
And so joining in and coming to Google, I started out in a partner organization with really the mission of let's build the ISV ecosystem as fast as possible, but more important than just getting a bunch of companies to sign up, it was how do we get them ready to be able to sell to the government? And so we started working, I started working with Josh and team to begin to create that program. And so that's where our partnership was forged and more about that later.
Mamie Cruse (02:31):
Yeah.
Paul Bockelman (02:31):
Thank you.
Mamie Cruse (02:31):
Yeah, Josh?
Josh Dries (02:32):
Yeah, so Josh Dries. I've been at Google for almost a year. Before that, I spent some time at Cisco doing some really cool stuff with the DoD and consolidating some contracts. But really the time at Google has spent, since Paul mentioned, we've only been around in the public sector officially for about a year and a half, but starting to get that ecosystem built on GCP and part of that to sell to the federal government is getting ATOs. Everybody here knows that. And if you haven't played in that game, there's a lot of groundwork that had to have been done. So I've spent the last 10 months talking to no less than 300 different software manufacturers as big as the biggest on the planet to as small as one person shops doing super secret squirrel things in INDOPACOM.
(03:27):
And so just understanding what are their requirements, how do they want to go and sell that innovation, their innovation into the government, and how can we do that quickly? How can we take that innovation and get it into the hands of the war fighter and the mission owner so that they can go accomplish their mission?
Mamie Cruse (03:44):
Awesome. And hi everybody. I'm Mamie Cruse. I'm VP of Partnerships and Alliances at Second Front. So I work closely with our CSP partners. And today obviously we'll be talking about our partnership with Google. Just a high level of what Second Front is, we have a product called Game Warden that the mission is really to help accelerate innovative tech, get it in the hands of the war fighter. So removing the accreditation barrier and making it easier for SaaS companies to actually be consumed by the end user on the government side. So our platform as a service is called Game Warden, and by running on us, you inherit our accreditation and can go deploy out to impact level 2, 4, 5 and beyond. So that's the gist of what Second Front is and what we do. And from a partnership perspective, just to set the stage a little bit about what we're doing together, we're obviously running our Game Warden product on GCP, but also earlier, well, I guess it was last month, Google Public Sector announced the ATO accelerator.
(04:51):
So that's kind specifically what is spawning this conversation. And the ATO accelerator is kind of Google Public Sector's foot stomp that we care about investing in accelerating accreditation and it matters to us and we're really hearing that this is a problem and paying attention to it and doubling down on a solution. So Second Front is one of those partners in the ATO accelerator program. And so that means we're doing a lot of things together and it's been really rewarding and fulfilling working with your team and super fun. Seriously-
Josh Dries (05:28):
Did it hurt you to say that?
Mamie Cruse (05:28):
A little bit. A little bit, but I mean it too. So I wanted to start with talking about the Google Public Sector journey. So a year old, I remember going last year to the first Public Sector summit, and I remember my CEO, Tyler and I were there and it was the United States Postal Service, yeah. And it was like that was kind of the big innovation and we were like, whoa, okay. And no dig on USPS, right?
Paul Bockelman (05:56):
Yeah.
Mamie Cruse (05:56):
But that was to me, thematically a big takeaway. And then this year, like night and day. You have Aaron Weis, former Navy CIO on the Google Public Sector team on stage talking about accreditation, talking about getting Google services accredited and the roadmap for that and his work with DISA and it was complete night and day.
Paul Bockelman (06:20):
Yeah.
Mamie Cruse (06:20):
And in an awesome way, right? So where do you see Google Public Sector in another year or where do you want it to go in another year and beyond?
Paul Bockelman (06:31):
When I look at it beyond a year, I think it's going to be exponentially larger than it is now. And it's not going to be exponentially larger because we're building a bunch of services or we're creating a whole bunch of marketing. It's going to be exponentially larger because we're able to deliver mission options to the people who need it the most. So if I take a step back and say, look at big Google, right? You know, there's a mixed history there.
(06:59):
I was at AWS when Google withdrew from the defense, and a lot of people were mad about that, justifiably so, right? But with the birth of Google Public Sector, that was Google's way of saying, "Okay, we are going to build an organization specifically focused on our public sector customers so that we can meet them where they need to be, not try to drag them into our world." And so then when I got the call and I was like, this is a great opportunity to come over and build something from scratch and do it the right way. Well, not that it was done the wrong way, but just do it a different way.
Mamie Cruse (07:39):
Mm-hmm. Intentionally.
Paul Bockelman (07:40):
Yeah, and be very intentional about making it. Everybody looks at the ATO process and goes, okay, well there's $3 million and 18 months of my life for a maybe. I was like, no, store that away. Let's not do that anymore. Let's figure out what the mission owner needs and back into the solution. And that solution may be a couple of native services within the Google Cloud portfolio plus two or three or one ISV that is actually developing and creating a compensating capability to then go to the mission owner. So we have a long road, Google has a long road, still, when it comes to getting all of our native services, our primitive services, all up to IL5. And it's not because they don't want to do it. It's because if you take a look at Google compared to other cloud providers, Google's a product company. It has been for 25 years always creating, always creating products. And those products are always being built and delivered at a global scale, okay?
(08:54):
And so now if you look at what FedRAMP requirements are and DISA requirements, it's like no, you can no longer do things at a global scale because it has to be within CONUS. And so it's like, oh my goodness, we have to pull air out of the balloon and try to get everything to fit here neatly. So when I came in, I was like, you know, that shouldn't matter. There's still a way for us to participate in the DoD mission, and to do it with cutting edge technologies like today, not a year from now, not in '25, not in '26. And so that's where I started calling things, compensating capability. So if you think about it in the controls packages, hey, we don't check this box directly, but we do all these compensating controls to meet the spirit of whatever that control was. While I'm looking at it from a solutions perspective saying, "Let's come up with compensating capabilities," which translates directly into the ISV community.
(09:57):
People have built capabilities and solutions that immediately can make an impact where the only barrier is getting them through an accreditation process. And so that's where our partnership, it's a game changer, literally, and I'm not trying to be cliche about it because it's like we put the focus on where it should be, and that's on the actual mission owner. We're not trying to get bogged down into all of the different nuances about the accreditation process. And we want to make sure, while security and the accreditation is super important, and that's why Game Warden exists is because you guys take that very serious and you're delivering that to the war fighter, we're looking at it saying, let's get as many ISVs into that pipeline as possible because now we can take a software vendor who may have one of the best widgets in the world and in the hands of a war fighter could be the difference.
(10:57):
But they look at it and say, "We're not going to go down that path because it's too expensive, it takes too long and we're a small company, and if we take those resources away to pursue accreditation, then we are basically cannibalizing our commercial business." So we want to say, "All right, we want your idea, we want your tech, let us help. Let us carry some of the risk for you and help get you there faster so you can start to monetize your solution." So sorry, I rambled a bit.
Mamie Cruse (11:27):
Next time. I'm going to cut you off, but you're fine.
Josh Dries (11:30):
I have nothing left. I have nothing left to say. But I-
Mamie Cruse (11:31):
But from more of an ISV perspective 'cause that's where you're spending more of your time, where do you see or where would you like to be a year from now?
Josh Dries (11:41):
Yeah, I think the first year was really going out and understanding which Google partners have been trying to sell into the government. If you think about the landscape of the world, Google's got a really, really, really big commercial foundation of software companies that have built their software on Google's platform. And historically, in order to sell into the government, they would either have to completely refactor that to go on another cloud provider or they just said, "No, we'll just sell to commercial and not worry about it." And so a lot of the ISVs that I talked to in the Google ecosystem have a lot of this innovation that the government could use and wants to use, but they've never been willing to refactor, they've never gone through that process. And I think what we've done now is we've been around for a year. We are a separate company, so we're a separate bet.
(12:30):
We've got our own CEO, we've got our own board of directors full of former or retired generals and admirals, other people that speak into or can speak the public sector, whether that's state and local or that's fed civilian or defense or IC. And I think just the sheer ability for the government now to tap into that resource that they've never really quite been able to tap into, like the 300 that I've spoken to in the last year, I think in the next year it's going to be 700.
Mamie Cruse (13:01):
Yeah.
Josh Dries (13:01):
Or 1,000 potential opportunities, especially partnering with Second Front to enable the government access to that to solve a problem in a much quicker way.
Paul Bockelman (13:13):
Yeah.
Mamie Cruse (13:14):
Yeah. Awesome. Okay, so that kind of ties into the next point is why does Google Public Sector care about speeding up accreditation? So we've talked about on a day-to-day basis, we work a lot together on where's this service at? When is this going to be IL5 ready? and all of that. We've talked about how if you go through the work of getting all your services and stuff accredited, but there's no consumption and there's nothing running on it, it's all a moot point and a waste of energy. So we want to make sure that we're coming behind this pipeline of service accreditation with volume of ISVs deploying SaaS and being consumed. So I kind of am answering it for you, but say it in a different way.
Paul Bockelman (13:58):
Well, I mean everything you said is very accurate. Just being in the cloud industry for the last 10 years, you look at each of the services that any particular provider has, it's a profit center within the bigger company that they're a member of. So when a public sector organization or a sales team goes to a service team and says, "Hey, want to have a conversation with you, I need you to change 30% of the way you do business because my customer might, keyword - might, be interested in buying your services." And those are usually not pleasant conversations. They don't go well. So when I see, and eventually it gets into escalation after escalation, customer comes in and a customer says, "Hey, I'm willing to make a big bet, get your stuff accredited." Okay, service teams do their thing. Can't blame them for the behavior because they're being held responsible to grow their business and they're going to do it the best way they can.
(15:01):
Just like we were talking about startups who were reprioritizing their funding and their resources to stay with what's paying the bills as opposed to what might come in the door. And so when I look at our partnership, I see it as a way for us to collectively prove to the service teams there's a demand. And oh, by the way, here's the pipeline of consumption for these services. And oh, by the way, while we are meeting this demand, there's going to be additional capabilities needed in excess of what already is available. So when I talk about coming in and rewriting the book or writing a new chapter, that's one of the things I'm going to look at is say, "No, I'm not going to go argue with the service team.” What I'm going to do is I'm going to create a groundswell, and then go with them with a basis of facts and say, "Tell me why we shouldn't prioritize this business now" as opposed to trying to sell them a maybe.
Josh Dries (15:59):
Yeah. I think one of the benefits of us going down this road of ATO acceleration is that quite frankly, we had to. Like benefits for us and benefits for the government. The other hyperscalers have been doing this for a decade now, and if we really wanted to foot stomp, to use your term, the fact that we're dedicated, we had to say, "Okay, not only are we dedicated, we are going to help and enable all of our partners that are built on GCP to bring their innovation to the government too." And so we've partnered with Second Front, we've partnered with other companies because historically what's happened, and everybody in this room probably knows that it's, oh, it's going to be $3 million and 18 months before you can get an ATO. And then every single software vendor on the planet has basically one of two decisions to make.
(16:57):
Do I use my engineering resources 'cause that's not unlimited, to build the new whizzbang fund feature that everybody in commercial land that's already paying us money wants? Right? Or do I just make my product more compliant? And no one really wants to go down that road, and so we, I think, have taken the onus of helping to incentivize that. So when we say ATO acceleration, it's Google offering support in what that looks like. Maybe that's cloud credits, maybe that's bringing in the Second Front to ride on that system to get something there quicker. Maybe it's some engineering resources with our services organization, there's a lot of different levers that we can pull to try to accelerate that, whether that's if they want to build their own house and their own ATO or if they want to rent their IL2, 4, 5 from Second Front. Either way, it's all about accelerating the government's access and our ISV partners access to that ATO.
Mamie Cruse (17:55):
Yeah, absolutely. Love it. Okay. And then just pulling back a little bit and thinking about Google Public Sector holistically, you guys are almost like a startup.
Paul Bockelman (18:08):
Very much so.
Mamie Cruse (18:08):
I mean, it's kind of crazy and you're playing some catch up and I don't know if forcing is the right word, but it's enabling maybe you to do innovative, unique things. And so from my DAM is partnerships, and that's what I love is leveraging partnerships as an accelerant to whatever it is. So from a partnership perspective here or anyone in the audience maybe, talk about, bring those ideas to you, right?
Paul Bockelman (18:40):
Yes, absolutely.
Mamie Cruse (18:40):
I mean, I'd say that's how this got off the ground is what we're talking about today is saying, what can we do? There's a problem. How can we make a solution instead of just be talking about the problem?
Paul Bockelman (18:51):
Right.
Mamie Cruse (18:53):
And we've really, this is kind of a testament to doing that and GPS's appetite to lean in, to think outside the box, to not need a playbook yet. So I love that, obviously, but to the audience, talk about that opportunity of you've got a disruptive idea or you're roadblocked somehow. And I would encourage anyone, bring it to you guys, talk to you guys about it, see where there might be some unique play that it has never been done before.
Paul Bockelman (19:25):
Right.
Mamie Cruse (19:26):
because that's what I'm kind of seeing here.
Paul Bockelman (19:27):
Yeah, I mean, so when you look, we are playing catch up. There's no secret about that. But instead of trying to compete against other CSPs who frankly have done a very good job of delivering scale and making it available really quickly and easily. While Google can do that, it makes no sense for us to go into the customer's boardrooms or wherever and say, "Let's go compete on, okay, this processor versus that processor." That's not going to move the needle. It's not going to move the needle for anyone. What we got to do is differentiate ourselves by saying, "Here's this really difficult problem, and we are scrappy enough that we will actually go out there and put ourselves out there to kind of create the solution."
(20:17):
Now I joke around with my colleagues, and you've heard me say this in the last couple of days, it's like 2024 is going to be a big year for me personally. I'm either going to get promoted or fired because of this approach, and I'm okay with either because frankly, if I get fired because I delivered too much innovation or too much disruption to a market that wasn't ready for it, I'm okay. I'm okay with that because I was looking for a job when I found this one. So I'll land somewhere and be able to continue that. And I just say that tongue in cheek, but I really want and am actively seeking because a little bit of backstory, I came in a year ago into Google, into the partner organization to lead the partner ecosystem and things around security. Very quickly started working with Josh and his colleagues around building that ecosystem.
Mamie Cruse (21:09):
Okay.
Paul Bockelman (21:11):
And what we quickly realized is that there's some really great tech out there, but it's not enabled the right way. It's not getting to market the way it needs to be. And so in my role in the partner organization, I was able to hand wave and say, "We need to do these things," but there was actually nobody on the other end receiving that signal. And so I literally got a phone call from one of our executives and said, "We know what you did when you were at AWS," which I was actually a disruptor there, for almost 10 years. They said, "We want you to move over to the technology organization and be disruptive." I was like, sweet, this is great right? And then I looked back at the partner organization and I was like, this is actually probably a thousand times boost for the partner organization. I can now pull the partners through and get them into really interesting and meaningful situations where they're delivering positive value instead of fighting against the big guys and always trying to get a seat at the table.
(22:11):
What we're doing is we're like, oh no, we got a seat at the table and here's all of my friends that are going to help deliver on this capability. So I was really excited to do that. So now I'm taking all kinds of input man. If you got ideas you're like, has anybody ever thought about this? Because I told Josh and others, I'm like, everybody knows the rules. Those aside, if we could rewrite the rules, how would we rewrite them? And let's work backwards from what the mission requirements are. And there's going to be times where we're like, yeah, that is way too aggressive, you're never going to do that, or you won't do it within the next 10 years.
Mamie Cruse (22:43):
Yeah.
Paul Bockelman (22:44):
Okay, let's recalibrate.
Mamie Cruse (22:46):
Or here's a bridge to get there.
Paul Bockelman (22:46):
Yeah, exactly. Here's a bridge.
Mamie Cruse (22:48):
Great idea, idea, but in the next year we can do this.
Paul Bockelman (22:50):
Exactly.
Mamie Cruse (22:50):
Yeah.
Josh Dries (22:52):
Well, and I think everybody thinks about Google. I think everybody thinks about Google as a pretty innovative company, and it is literally seeped into you and trained into you from day one. In your onboarding, they talk about 20% extra time and going and doing innovative projects, and they talk about moonshots and think 10x. And these aren't just hand wavy things. We have to take training on this. And if you look at it, there's a quote that he's said before in one of his talks is that Google was 16th to search. And so yes, we're late to the game, but if you take the power of Google and the innovative thinking in the culture, it matters. And I think the government's already seeing that in a real way with the way that we do GovCloud versus assured workloads. And Bryon Kroger said it on day one and we appreciated the shout out, but it's software-defined logic for all the way up to IL5.
(23:56):
And that is game changing. It's game changing, not just for the government, but for software companies. Back to my point earlier, if a software company wants to sell into the government and they have to meet all the compliance regimes, and they have to do that specifically for, let's call something GovCloud. Well, let's say they want to sell to Canada and have to meet Protected B, and they want to sell to the Australian government and they need IRAP and they want to go into Europe and they have to meet GDPR. These are all different builds that now they have to support. Is the juice worth the squeeze? A lot of times they're like, no, it's not. Versus what we've built in assured workloads. I may simplify this a tiny bit, but it's basically copy paste into a new folder.
(24:43):
And so the commercial parody of now what a software is able to sell and give an innovation they're able to give into government is significantly better from a commercial parody perspective. It's not one static thing that was developed two years ago, and once again, talking about continuous ATO and prod, I think the way that Google has built their compliance regime with assured workloads fits so nicely into that message of keeping things in prod and keeping things updated and nice and crisp and fresh in prod.
Mamie Cruse (25:18):
Yeah, awesome. The red light's blinking at me. We're out of time, but...
Josh Dries (25:24):
Bing. Bing.
Mamie Cruse (25:25):
Can we take questions if they're? Are you guys okay with that?
Paul Bockelman (25:28):
I'm happy to meet.
Josh Dries (25:28):
Sure.
Paul Bockelman (25:29):
Afterwards.
Speaker 4 (25:30):
So a lot of our federal agencies who work with, they are expecting SaaS providers to be veterans approved. How does using Google's solution allow them to accept that ATO that they get other than going through that process?
Paul Bockelman (25:45):
So on the FedRAMP side, so whether it's, we have over 90 services of our native services, are FedRAMP moderate, and then we have is it like 19 or 20 services, I think right now-
Josh Dries (25:57):
[inaudible 00:25:57].
Paul Bockelman (25:57):
... that are FedRAMP high, more in the pipeline. There's, at various levels there. So from a federal civilian and even a state and local, the ability to use all of the services in region, all of our regions in continental US are at a FedRAMP. In fact, actually-
Josh Dries (26:18):
No, it's the world.
Paul Bockelman (26:19):
... all of our global regions are at a FedRAMP moderate. FedRAMP high is just the US. There's a lot of work that can be done immediately by partners and customers in that.
Josh Dries (26:29):
Well, and so just to real quick add onto that, if they have FedRAMP on another hyperscaler, that's basically like you can get that done on Google with a significant change request in a matter of a couple of months, and it's just solutioning and submitting that up through FedRAMP.
Paul Bockelman (26:46):
But your question was, can you clarify a little bit more?
Speaker 4 (26:52):
Yeah, so SaaS provider wants to host their solution on GCP.
Paul Bockelman (26:55):
Okay.
Speaker 4 (26:55):
But that has to be accredited by FedRAMP.
Paul Bockelman (26:57):
Right.
Speaker 4 (26:57):
The whole product.
Paul Bockelman (26:57):
Right. Yep.
Speaker 4 (26:59):
How do they get reciprocity for the ATO that they get out of this process if the federal government is expecting FedRAMP approval?
Josh Dries (27:09):
So a SaaS provider can get FedRAMPed on GCP just like they can on AWS or Azure. It seemed-
Paul Bockelman (27:14):
Same process
Josh Dries (27:14):
... pretty equally across the board. So it's the same process as the other hyperscalers.
Speaker 4 (27:18):
So you're just abstracting away underlying infrastructure?
Josh Dries (27:22):
Yeah, we-
Speaker 4 (27:22):
[inaudible 00:27:23]?
Josh Dries (27:23):
... provide the IaaS and PaaS and then they inherit our controls, up to a certain degree.
Paul Bockelman (27:27):
Now, when you get into IL, FedRAMP high or IL4 or 5, that's where partners like Second Front are key because they already have, I mean, there are design pattern requirements when you get at that level where there's no egress direct to the internet or from the internet into a virtual private cloud, it all has to traverse the government's network. So all of that is extra thing, those extra things are coming with it, which typically takes a while for a company, a SaaS provider going through the process. They look at it and they're like, hands up in the air, I'm not going to do it. And what they're bringing with Game Warden is “you focus on being a SaaS provider and working on your SaaS, we'll work on the infrastructure and the network connectivity to make sure that you're compliant.” And all of that's being done on top of GCP where all of our native controls and everything are being inherited. So your full ATO package is all basically signed off on every level. Good question. Thank you.
Mamie Cruse (28:34):
Yeah. Any other questions? Awesome. Well, thanks everybody for sitting in.