Clarifying Shared Responsibility and Strengthening Cyber Resilience

Original broadcast 8/19/25

Presented by RegScale & Carahsoft

In cloud security, success depends on clear roles, open communication, and a shared commitment to protecting systems. Dale Hoak, Chief Information Security Officer at RegScale, says that while industry and government each have distinct responsibilities, both sides need to work together more effectively to deliver secure, innovative solutions.

For government, Hoak says the priority should be providing clear, stable requirements. “Here’s what I need, here’s how we need to get there, and here’s how much money you have to work with,” he explains. Too often, he adds, those requirements shift midstream, creating uncertainty for vendors and slowing progress. When agencies clearly define their goals, budgets, and expectations from the outset, industry can build directly to those needs and remove blockers to innovation.

Industry, in turn, must be proactive in meeting and exceeding those requirements. Hoak points to FedRAMP 20x as a milestone that opens the door for smaller cloud service providers to deliver critical services more easily. By leaning in, adopting innovative approaches, and providing secure products without cutting corners, vendors can make it easier for agencies to say “yes.” That means publishing software bills of materials (SBOMs), embracing compliance where it’s required, and being fully transparent about security measures.

He also notes the growing clarity around zero trust principles as a positive step. By clearly stating the security principles that must be followed — and holding organizations accountable to them — government can simplify compliance expectations while maintaining a strong security posture.

The threat landscape, Hoak warns, is being shaped more than ever by global geopolitical forces, making speed and agility essential. Efforts like FedRAMP 20x and zero trust can help accelerate secure adoption, but only if agencies and vendors remain aligned on the ultimate goal: cyber defense, not just compliance.

“Compliance was never intended to be a whipping stick to keep people in line,” Hoak says. “It was intended to be a road map for security. Good security on the front end should bring compliance on the back end.”

To achieve that, he advocates for moving away from point-in-time reviews toward real-time monitoring and cyber resiliency. This approach focuses on constant readiness, ensuring that systems remain secure even as threats evolve. Principles and key security indicators (KSIs) that are stable over time can guide both compliance and operational security without creating moving targets for vendors.

For Hoak, the path forward is clear: agencies must articulate exactly what they need, and industry must deliver it in a way that’s secure, transparent, and easy to approve. With that shared understanding, both sides can move faster, defend more effectively, and keep ahead of an increasingly complex threat environment.

Key Takeaways:

• Clear, stable requirements from government allow industry to build solutions efficiently.

• FedRAMP 20x and zero trust principles can accelerate secure adoption and open opportunities for smaller providers.

• Real-time monitoring and a focus on resilience help shift the emphasis from compliance to true cyber defense.

Watch the full episode at InnovationInGov.com