Rob Gil of Okta, senior director for federal architecture, joins theCUBE Research hosts Rebecca Knight and Paul Nashawaty at Chainguard Assemble 2026 to discuss identity and federal security. Gil explains how the Federal Risk and Authorization Management Program, FedRAMP, National Institute of Standards and Technology, NIST, guidance and emerging artificial intelligence, abbreviated AI, tools intersect with cloud security and software supply chain security. They cover evidence automation, infrastructure-as-code auditing, Department of Defense, DOD, impact levels and Chainguard's role in shaping secure-by-default container and operating system practices.
Key takeaways include the need for automation to achieve continuous audit and assessment. Gil emphasizes that AI can accelerate processes but does not replace human architectural judgment. Nashawaty highlights persistent complexity and skill gaps that increase demand for tooling that embeds company policies into continuous integration and continuous delivery, CICD. Actionable recommendations include prioritizing infrastructure-as-code visibility, adopting automated evidence collection and aligning implementations with forthcoming NIST guidance and FedRAMP expectations. The conversation provides practical guidance for federal and commercial teams focused on cloud security, identity security, software supply chain security and continuous compliance.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Chainguard Assemble 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for Chainguard Assemble 2026
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for Chainguard Assemble 2026.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Chainguard Assemble 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to Chainguard Assemble 2026
Please sign in with LinkedIn to continue to Chainguard Assemble 2026. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Rob Gil, Okta
Rob Gil of Okta, senior director for federal architecture, joins theCUBE Research hosts Rebecca Knight and Paul Nashawaty at Chainguard Assemble 2026 to discuss identity and federal security. Gil explains how the Federal Risk and Authorization Management Program, FedRAMP, National Institute of Standards and Technology, NIST, guidance and emerging artificial intelligence, abbreviated AI, tools intersect with cloud security and software supply chain security. They cover evidence automation, infrastructure-as-code auditing, Department of Defense, DOD, impact levels and Chainguard's role in shaping secure-by-default container and operating system practices.
Key takeaways include the need for automation to achieve continuous audit and assessment. Gil emphasizes that AI can accelerate processes but does not replace human architectural judgment. Nashawaty highlights persistent complexity and skill gaps that increase demand for tooling that embeds company policies into continuous integration and continuous delivery, CICD. Actionable recommendations include prioritizing infrastructure-as-code visibility, adopting automated evidence collection and aligning implementations with forthcoming NIST guidance and FedRAMP expectations. The conversation provides practical guidance for federal and commercial teams focused on cloud security, identity security, software supply chain security and continuous compliance.
Practice Lead and Principal AnalysttheCUBE Research
HOST
Rebecca Knight
HostSiliconANGLE Media
HOST
In this interview from Chainguard Assemble 2026, Rob Gil, senior director of federal architecture at Okta, joins theCUBE's Rebecca Knight and theCUBE Research's Paul Nashawaty to discuss why federal compliance is overdue for a fundamental shift from manual audits and screenshots to continuous, automated verification. Gil explains how his team translates NIST controls into actionable architecture for FedRAMP and DOD impact levels, a role that demands deep human judgment AI still cannot replicate. He highlights how current AI tools often deliver outdated or inc...Read more
exploreKeep Exploring
Is it fair to say that the FedRAMP and DoD impact-level assessment process has become more difficult over the years and is now evolving—driven by AI and automation—toward continuous audit and continuous assessment?add
What is your role at Okta?add
How should organizations approach identity security and secrets management—especially when AI gives outdated or incorrect guidance (for example, referring to a non‑existent JAB authorization)—and what upcoming NIST guidance should they watch for?add
How should auditors verify security and compliance in modern cloud environments instead of relying on screenshots and interviews?add
>> Hello everyone and welcome back to theCUBE's coverage of Chainguard Assemble here in the Big Apple. I'm your host, Rebecca Knight alongside Paul Nashawaty, principal analyst. We are welcoming to the show Rob Gil, Senior Director Federal Architecture at Okta. Welcome, Rob.>> Thanks so much for having me.>> Your first time on theCUBE.>> Yes.>> This is a big moment. Yeah. Then you'll be a CUBE veteran.>> Yes.>> I want to start by talking about FedRAMP, everyone's favorite topic. It has this reputation in the industry as being this slow, painful, check the box exercise that can take years to get through. This is something you live through every day at Okta. Is that reputation fair or is it actually more complicated than that?>> It is definitely fair. Over the many years now that I've been doing FedRAMP and DOD impact levels, the process has only kind of gotten harder with more requirements, more things coming in. And so the process hasn't really changed. But now in the age of AI, things are substantially changing. We are starting to look at ways to accelerate all of that. The fine work that Pete Waterman's doing over at FedRAMP and their vision, which I agree with their intent and their vision, is that to get to a continuous audit and continuous assessment state. And the only way to do that is through automation. And so we're really seeing the industry dig into that now and startups and so on, starting to address those challenges.>> Yeah. With compliance regulations and governance really taking front stage, I mean, especially in the app dev world, I mean, you see a lot of focus with AI and using compliance regulations and governance with these new rules and such that are going in place. When we look at compliance, it's no longer just like an audit kind of checkbox, like as you were saying, checkbox, right? But it's really embedded into the whole process and flow. How would you say ... It's kind of a big process, but how would you say has that changed with the introduction of AI and what should the audience think about when it comes to using AI versus what previous FedRAMP kind of compliance looked like?>> Yeah. So AI is going to be helpful, but it's not going to be a perfect solution. And we've seen this when we've tried to adopt AI at Okta as an example. So one of the things that I do ... So Rob, what do you do at Okta? Well, I'm the federal architect at Okta or one of them, I now have a team. And so our team, what we do is we advise all of the engineering and product teams and even enterprise IT teams on what they need to do to meet FedRAMP and DOD impact level requirements, as well as now CMMC is now coming into the fold. And so as part of that, we advise them on how to meet all of these compliance aspects. The challenge is that AI doesn't necessarily give the right advice on how to do things. It also doesn't know how to say what takes preference over another. And at a certain point, you have to make a risk-based decision for your business about how you're going to meet various controls. So let me give you an example. You might need to meet some NIST 853 control. And then 853 control tells you that you must do this, doesn't tell you how. So who tells you how? Well, sometimes companies will go out and reach out to 3PAs, or third party assessors, but they're usually assessors. They're not engineers or architects. So herein lies what I do. That's exactly what I do is I advise, I translate NIST controls into architecture, security implementation, things that I know are tried and true that can meet those controls that will pass audit, but also be obviously secure. You got to know what the intent of the controls are so that you can implement solutions that meet them.>> You're the human who has to know what the intent of those controls are. And you were saying something about how the AI doesn't always give the best advice, which gets back to what Dan Gillespie was talking about this morning in the keynote about humans ... The coding is no longer the bottleneck, it's the trust. And so you, as the person who is architecting this, needs to make sure that you're trusting the system and that it's trustworthy too. So how do you, you personally, maintain that, acquire that? I mean, how do you->> The knowledge of all that stuff?>> Yeah. Or it's also just ... And the knowledge of it and then being able to trust that it's also happening in the background too.>> Yeah. So a quick aside, interestingly, how AI is one of those things. It still thinks the JAB exists, right? So how do you advise somebody that's like, "Oh, well, I looked it up on AI and it told me I got to go through the JAB authorization for this." I'm like, "Well, that doesn't exist anymore, so let me help you through this." I spend a lot of time, I work with NIST as part of our collaboration with CISA's Joint Cyber Defense Collaborative. We work closely with them. We've been working closely with them on the NIMBUS 2000 Initiative, which you can find all of that information online, but basically improving identity security for the nation. And so out of all of those, we continually improve on security. So recently I was working with them on NIST IR 8587, I think, 8567.>> We believe you.>> Anyway, it's a new interagency report around tokens, secrets handling, secrets management, secret storage. So it's the first time that that is coming. So it's novel stuff, obviously, and AI is not going to know anything about novel things. It's not going to drive a lot of those types of things. So we're driving industry change for all of that. And so I'm learning by also improving the security of that. And so when teams are like, "Oh, well, what NIST guidance should I follow?" Oh, I was like, "Well, the one that I wrote and contributed to, and here's the guidance we submitted." And we expect it to be published sometime when the shutdown I think ends for NIST and sometime March or April, I'm guessing. But that will be a huge change for people implementing security controls. And once NIST formalizes it, usually FedRAMP and DOD will follow. And it has some very important and strong security controls that came out of the backend of the CSRB report, as well as SolarWinds and the numerous other attacks that NIST is focused on working on mitigating for going forward, how do we prevent that from ever happening again?>> Sure. So there's kind of going along the same lines, you have the trust factor, you have the no-like factor, you have the areas around which tools you want to use, and a lot of developers and organizations will use their bespoke solutions. One of the things that was interesting is, and I kind of got the same vibe out of the keynote, was the complexity is a challenge. When I talk to organizations, they tell me the two main barriers they run into with regards to security protocols and such, is complexity and skill gap issues. Those are the two main things you hear. And you hear it across the board. So we're trying to overcome those skill gap issues by using AI and tools, but you got to know I can trust it, going back to the trust piece. But one of the things around software supply chains, it is complex and the governance regulations and compliance that go into place, governments and enterprises are looking for ways to build verifiable trust solutions around supply chain and not only trusting it, but there's executive orders in place, there's regulations in place. How do you advise people that will be watching this session to understand how they could move forward with that, regardless where they are in their journey? They could be fully mature in their journey or they can be really early in their journey and still just trying to figure out how to get going.>> Yeah. That's a great question. So it's 2026 and we still collect evidence with screenshots. And how do you build trust? It's with everything. It's trust but verify. And the verification today has been haphazard or spotty. Spotty, I think is the word I prefer. So whenever an auditor comes in, what do they do? They spot check things, right? They look at things, right? Do they have access to any of your systems? Usually, no. Do they know about your environment other than what you send them in the diagram or the system security plan document that you share with them? No. So if you don't have any ... If it's not disclosed in there, if you don't have all of that detail, the auditors don't know to audit it. So what I see as the future is that at some point we are going to start doing trusted but verified audits where instead of doing it the old fashioned way where you interview people, which I do a lot of interviewing, you do a lot of interviewing. We're going to interview your code, this is where this is going. So just like we do, you look at code to look for vulnerabilities, you don't ask the developer, is your code vulnerable, you go look at the code. We should be looking at people's infrastructure as code. We should be looking at their cloud posture directly. We should be looking at their code to make sure that they're, one, patched, secure, but also FIPS compliant. We shouldn't be interviewing people or looking for screenshots for these things. It's way too critical to be relying on such a stone age technique.>> Well, I want to just double click on that just a little bit, because I think that there's a piece that you talked about, which I find incredibly interesting. Across the SDLC, you do have dynamic discovery of what's happening within the SDLC, right?>> Yes. In the SDLC, assuming it's all part of the same SDLC.>> Correct. Absolutely. Correct. And if you kind of put the pieces together that should be figured ... And a point, I want to kind of get back to in the CICD pipeline, there's also this kind of notion of continuous compliance, right? So you kind of have this view of how continuous compliance looks, but what I'm hearing you say is different than what I hear in practice, how it should be deployed. It's kike traditional compliance is happening with auditing, you said you're auditing code, right auditing people. What does continuous compliance look like maybe now and in the future?>> Yeah. Now, I mean, most folks are using more predictive policy enforcement type stuff. Sentinel is one example. There's a bunch of others. If you're running a product like Snyk or any of the other vendors that are looking at code, they'll make recommendations and so on in there, but they have no idea necessarily what your company policies are. You might have a stronger company policy than what their recommendations are.
And a good example of that is let's say key lengths. Commercial industry standard might be X. Yours might be longer because you're a security company, you're the front door for 20,000 companies and they're secure data. So you had to have maybe a longer one. So how do you get that to engineering teams? I think there's vendors, a couple of which I'll mention that are working towards this. There's TestifySec, which is working towards kind of the automated evidence collection and mapping to controls and kind of doing automated auditing in a lot of ways. And then there's Chainloop, who I just met here at the conference, which was awesome, really excited about what they're doing as well. Where they're doing it in the CICD pipelines, where they're looking at the code, comparing it to like NIST standards, you can even have your own company standards in there. So that example I said about key length, it's like, okay, well, which key length should I use? Should I use the FIPS 140-3 requirements? Should I use the NATO standard? Should I use the, I forget, ISMAP, the Japanese government standard, Canadian standard? Which one do I use for my company?>> Right.>> Because you have all these to choose from. And which crypto algorithms do I use? Different countries have different things. ChaCha-Poly is a big conversation. It's allowed in commercial use cases and so on, but it's actually not allowed in US government or European government or NATO. So it's like, well, we're actually much closer to requiring FIPS almost everywhere at the company versus just for US public sector.>> So we're here at Chainguard Assemble. I understand you're now on Chainguard's FUD Committee, Fully User Directed Committee. Talk a little bit about that. I know that it's focused on helping organizations use tools like Chainguard containers to meet compliance goals. What do you see your role on this committee is doing and helping steer Chainguard in terms of what the market is looking for too?>> Yeah. So first off, I am absolutely flattered and honored to be invited to be involved in such a impactful thing. I was sitting in the keynote today and I was looking at the screen at all the companies on there and it was like->> The who's who.>> It was the who's who of security minded companies. And so the FUD, yes, it's exciting, but I've also been part of the Chainguard Advisory Board now for a while. So this is kind of the next extension of that. But a lot of the features that were talked about today, we've been discussing for like two years basically. So like the custom CA stuff, the custom build stuff, all of those things that we've been working with Chainguard on for quite a while. So the Chainguard FUD is the next extension of that. And so my view is that Chainguard is ultimately going to become the next operating system. It is disrupting the operating system or distribution industry. While every one of the major vendors are distracted by AI, Chainguard is creeping in and disrupting this area and building for the future. OSs shouldn't have stopped. Why did we stop innovating on them? And then there's been a little bit of innovation, but where did all the innovation really go? It went into like Kubernetes and things like that. Relies on some of the OS, and it's not to discount some of the things. But like I think the most consequential update that I feel like has been there was like Systemd, and that's an extremely nerdy reference. But what I want to see is greater innovation on the operating system sides, continuing to do what Chainguard is doing best, which is eliminating toil, eliminating the gap between what you want the target state to be and where you started from. Everybody starts usually from an image that's bloated, it's got too much stuff on it's got everything enabled. It's not secure by default. Chainguard is flipping that, they're starting secure by default, secure by design, getting it out there. And we have actually a long road to go and I have lots of ideas which we'll be discussing in our first FUD meeting and I'm looking forward to that soon.>> Well, a fantastic note to end on. Thank you so much Rob Gil.>> Thank you.>> I appreciate you coming on the show.>> Thank you so much. It's been a pleasure.>> I'm Rebecca Knight for Paul Nashawaty. Stay tuned for more of theCUBE's coverage of Chainguard Assemble. You're watching theCUBE, the leader in enterprise tech news and analysis.
