RegScale, a Tysons Corner, Va.-based provider of compliance automation technologies for highly regulated government and business organizations, officially launched operations on November 30 with $1.5 million of new funding.

The new company was spun out of the existing C2 Labs operation that developed RegScale’s underlying technology, and is headed by Federal government veterans Travis Howerton, co-founder and chief technology officer (CTO), and Anil Karmel, co-founder and CEO.

Howerton is a former CTO at the National Nuclear Security Administration (NNSA) and deputy CIO at Oak Ridge National Laboratory, and Karmel is the former deputy CTO at NNSA and developer of cloud computing solutions at the Department of Energy Nuclear Weapons Complex at Los Alamos National Laboratory.

The aim of the new business, Howerton said, is to bring “the principles of DevOps to compliance to solve the most difficult compliance headaches that companies face and help them transition their manual, static compliance documentation and processes into a dynamic, automated, and collaborative platform.”

One of the initial focuses of the business is for cybersecurity applications, he said.

“The cybersecurity industry has been heavily focused on the concept of ‘shifting left’ security to make cybersecurity real-time, continuous, and complete, which positions compliance as the new bottleneck in the digital transformation process,” he said.

RegScale will use the new funding – from investors including the Virginia Innovation Partnership Corp. and New Dominion Angeles – to scale operations to meet growing customer demand.

The company’s current customer roster includes a mix of public and private sector organizations including the U.S. Air Force, the Department of Homeland Security, Johnson Controls Federal Systems, and a Fortune 500 financial services company.

Karmel said that customer success stories include one that was able to cut cyber insurance premiums by $500,000, and another that ramped up to process more than 70 Defense Department Cybersecurity Maturity Model Certification (CMMC) system security plans within a few months.

“One customer was able to dynamically report their state of compliance in real time in Tableau by integrating RegScale with, bringing in cloud compliance findings and marrying them against manual assessments of compliance controls,” Karmel said. “This allowed them to continuously meet their compliance obligations and update their documentation in real time.”

In an interview with MeriTalk, Karmel explained that RegScale’s mission is to “really leverage automation, where it makes sense to build compliance documentation for new applications, and really to help with this compliance pain that folks have. That’s what birthed the technology we have created.”

“We’re trying to launch this movement around what we’re calling RegOps, to really change how compliance is done,” Karmel said. To help organizations start on the path, he explained that RegScale offers a freemium community edition of its service, along with an enterprise version that is being used by its larger customers.  RegScale is also able to integrate with customers’ existing security and compliance applications, he said.

Asked about what types of regulatory compliance burdens RegScale can help customers tackle – Federal, state, local, etc. – Karmel replied, “the short answer is yes.”

“Where our platform is different is that we address any compliance requirement,” he said. “So it doesn’t matter what that compliance requirement is, we have built an extensible platform to address any compliance requirement in any geography. We’ve taken this horizontal approach to compliance.”

Karmel said RegScale is aiming initial efforts towards cybersecurity “because of our backgrounds and our experience,” but added that “the platform itself has broad applicability to support any regulatory requirement.”

Specific to RegScale’s Federal government applications, Karmel explained that “the long pole in the tent for government has historically been the authorization to operate package.  Whenever you bring in a new system, you have to have an authorization to operate. You can have a great technology, but if you don’t have an ATO, it’s not going to be authorized to run.”

“That’s where we come in,” he said. “What our software does – it’s designed to help compliance professionals easily create that compliance documentation for those systems, and then, most importantly, integrate with all the different monitoring systems that you already own, your security systems that you made investments in, your compliance platforms that you may have already made investments in, or if you don’t have one, we can do that.”

“And then keep that documentation continuously up to date,” he added. “Because right now, all of that is done traditionally, by hand, in Word documents and in Excel spreadsheets that are instantly out of date the moment that they are created.”

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.