Jadon White
August 1, 2025
HunaTek – Internship
Reflection Paper #3
During my third 50-hour reflection period at HunaTek, I was able to support our cybersecurity leadership more directly in advancing the Authorization process. This portion of my internship has marked a shift from hands-on scanning and enclave-focused technical tasks to more process-driven, documentation-heavy work. The timing couldn’t be better—I’ve developed enough technical understanding to see how policies and systems fit together, and now I’m learning how to capture, structure, and validate that information for federal review.
Lately, I’ve been focused primarily on the Risk Management Framework (RMF) lifecycle. More specifically, I’ve supported the team with writing System Security Plans (SSPs), developing system architecture diagrams and relationship maps, and drafting Standard Operating Procedures (SOPs). Central to all of this is documentation that describes not only how a system functions but also how its policies and controls are implemented. A key lesson I’ve learned is that in cybersecurity, documentation isn’t just a formality—it’s often the control itself. You can’t hold systems accountable, implement controls, or perform audits without accurate documentation.
In creating these SOPs, I’ve reviewed current and proposed documentation, interviewed system owners and technical contacts to gather information, and aligned procedures with the control families outlined in NIST SP 800-53. This work has deepened my understanding of implementation evidence and how to ensure that controls are traceable from policy down to the artifact. I’ve learned to be critical not just of what a system does, but of how it works—and how to prove that it aligns with required security baselines. There’s a major difference between saying “we secure this port” and being able to show the technical and procedural evidence that demonstrates it.
In addition to SOPs, I’ve collaborated with the team to build system architecture diagrams for inclusion in the ATO submission package. These diagrams illustrate data flows, security perimeters, and trust boundaries between components. This was a natural next step for me, having already worked on enclave design, but now I’m approaching it with a greater emphasis on formal accuracy and alignment with other documents. Translating real system configurations and interfaces into visual schematics that withstand external review has been eye-opening—and has shown me how critical these visuals are as a single source of truth for audits and ongoing compliance.
Another key takeaway has been learning how control inheritance works. I’ve begun tracking which controls are inherited from the hosting environment versus which are system-specific. This has broadened my understanding of layered security and reinforced how essential it is to collaborate with both infrastructure teams and policy stakeholders. Whether it’s contributing to security categorizations or mapping narrative text to technical controls, I’m starting to grasp RMF at a deeper, more practical level—beyond just checking a box for compliance.
Looking back on these 50 hours, I can clearly see my transition from student to contributor. I’m no longer just studying RMF—I’m applying it. I’m not simply shadowing security analysts—I’m producing tangible deliverables that are moving our system closer to ATO. This internship has shown me that the behind-the-scenes work—planning, documenting, reviewing, and validating—is just as important as the technical defenses we implement.
Above all, this reflection period has made me realize that the strength of a cybersecurity program doesn’t just come from tools or firewalls. It stems from repeatable processes, clear documentation, and structured roles. I now have a clearer understanding of how compliance frameworks shape real-world security practices—especially in federal environments. I’m proud of the contributions I’ve made so far and even more excited for what lies ahead. The knowledge and experience I’m gaining at HunaTek are not only preparing me for future roles, but also shaping me into a more disciplined and capable professional.