Events
The Challenges of 3rd Party Software Risk, From Contributions to Consumption
Everyone is talking about the risks of AI in our supply chains. But in reality, AI is just introducing an old problem at a terrifying new speed: 3rd-party risk. So how do you trust code you didn’t write?
Oldschool hard-earned lessons of securing traditional 3rd-party software are still valid for today’s fastest-moving AI era.
Join our expert panel as they discuss:
- How to trust upstream contributions when maintainers are flooded with AI-generated PRs and bug reports?
- How to move past static SBOMs to drive actual risk and security decisions?
- Can we safely ingest and manage 3rd-party code without killing developer velocity?
From Paperwork to Provenance: Navigating the FedRAMP 20x Pivot
The “standard” FedRAMP playbook has been rewritten. With the full-scale rollout of FedRAMP 20x in 2026, the program has officially shifted from static, narrative-based documentation to a model of continuous validation and machine-readable evidence. For security engineering teams, this isn’t just a policy update—it is a fundamental change in how cloud-native architectures must be built, audited, and maintained.
Together with InfusionPoints we dissect the new FedRAMP 20x milestones to answer the “how” of engineering for federal scale in the age of AI and automated GRC.
Key Discussion Points
- The Key Security Indicators (KSIs) Shift: How to move from “writing a policy” to “streaming a metric.”
- 2026 AI Governance Overlays: What does “trustworthy AI” look like in a machine-readable authorization package?
- Legacy Rev5 vs. 20x Validated: When to switch from “Certified” (Rev5) path to “Validated” (20x) to avoid the 2027 end-of-life for legacy submissions.
- Automation-First Architecture: Engineering your CI/CD pipelines to output OSCAL-compliant logs that satisfy the new machine-readable submission requirements (RFC-0024).
- The “No-Sponsor” Strategy: How to bypass the agency-sponsor bottleneck by leading with technical maturity.
