The Paramify Podcast

“There’s this misconception in the marketplace that you need to be a coder to do GRC Engineering. You don’t. I don’t want people to be bogged down in scripting. I want them to be systems thinkers focusing on architecture and orchestration.” Kenny and Mike sit down with the GOATed pioneer of GRC Engineering, Ayoub Fandi. In case you’ve been living under a rock, Ayoub is the Security Assurance Automation Team Lead at GitLab and the Founder of GRC Engineer. This episode covers Ayoub’s wild pivot from middle school English teacher to sending 500 cold LinkedIn DMs to break into security. We dive into his first trip to Utah (discovery of "sugarcane fillets" and life-changing butter cake), why APIs are the “landlines” of the past, and how he sparked the movement behind the GRC Engineering Manifesto to give practitioners their own “Phoenix Project” moment for compliance. Key Takeaways: * Systems Over Scripts: GRC Engineering isn't about being a "coder." It’s about systems thinking and moving away from the "crawl space" of manual scripting. * The "Cell Phone" Moment: Why GRC is skipping the "landline" era of APIs and jumping straight to agentic workflows with MCP (Model Context Protocol). * FedRAMP® 20x: How Key Security Indicators (KSIs) move the burden of proof from 4,000-page narratives to 80%+ automated validation. * The 7-Minute Threat: AI-powered adversaries can pop a machine in 7 minutes. If your compliance isn't "threat-driven," it's irrelevant. Learn more about Ayoub: Gitlab: https://about.gitlab.com/  GRC Engineer: https://grcengineer.com/ GRC Engineer Podcast: https://www.youtube.com/channel/UC8cvmIXoEEBs0dryLh2p2cA Ayoub's LinkedIn: https://www.linkedin.com/in/ayoubfandi/ Learn more about Paramify: Website: https://www.paramify.com/ Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/ Mike's LinkedIn: https://www.linkedin.com/in/mikecschreiner/ Chapters 00:00 Intro — Utah, butter cake, and Ayoub's first time in the U.S. 02:00 How Ayoub got into GRC (500 cold DMs and ISO cramming) 09:00 Struggling to commit to GRC — until Adobe's program changed everything 13:00 What GRC Engineering actually means 15:00 Why evidence collection is plumbing, not strategy 20:00 Why AI won’t kill GRC — it’ll force it to grow up 25:00 Architecting assurance: the new role of GRC 30:00 Why APIs are losing ground to agentic protocols like MCP 35:00 Landlines vs. Cell Phones: How automation skipped a generation 38:00 Platformization, assurance, and the SaaS vendor dilemma 43:00 Can platforms fix SOC 2 quality? 48:00 Sticker fatigue and the case for continuous assurance 52:00 Why threat-driven compliance is the only way forward 56:00 Advice for early-career GRC professionals in an AI-native world

Kenny and Mike sit down with Dixon Wright, Head of Delivery at Eden Data, for a grounded and insightful conversation on security, compliance, and building smarter systems. They cover: - Dixon’s journey from college football to leading security at Eden Data - What it takes to actually deliver cybersecurity — not just sell it - Why Eden Data joined the FedRAMP 20x pilot - How compliance is evolving across commercial and federal sectors - Why trust, transparency, and execution matter more than buzzwords It’s one of the most real conversations we’ve had about what delivery actually looks like in the compliance world. Chapters 00:00 Intro: From field goals to FedRAMP 02:00 Dixon’s career in security consulting 05:00 What Eden Data does and who they serve 09:00 Joining the FedRAMP 20x pilot 14:00 Building credibility through execution 18:00 Security in practice vs. theory 23:00 Why delivery teams need flexibility 27:00 Shifts in federal and commercial compliance 32:00 Trust, tools, and transparent reporting 36:00 The future of cybersecurity delivery 41:00 Final thoughts Learn more about Eden Data:  https://www.edendata.com Learn more about Dixon Wright:   / dixon-wright-aab68321   Learn more about Paramify:  https://www.paramify.com/ Learn more about Kenny:   / kenny-g-scott   Learn more about Mike:   / mikecschreiner  

"The AI age we're in is going to force startups to compete in the higher upper echelon of risk assurance." Jack Rumsey Head of GRC at Swimlane explains why startups will no longer have the luxury of maturing later and how the AI era is pushing even early-stage teams into enterprise-grade security. This episode covers why assurance needs to evolve, how 20X can level the playing field, why automation is changing everything about how companies prove trust, and Jack's brief era as "the richest fifth-year college student of all time." Key Takeaways: • Automation is reshaping how companies prove trust and security • Startups will need enterprise-grade security earlier than ever • Continuous monitoring is becoming the new foundation for real assurance Chapters 00:00 Security teams are drowning 02:40 Scaling trust in public sector 06:10 Check-the-box isn’t cutting it 10:00 The promise of low-code automation 13:40 Swimlane’s mission and momentum 17:00 How to reduce alert fatigue 21:30 Integrating detection with compliance 26:15 CMMC and automation opportunities 30:00 Why orchestration needs flexibility 34:00 Future of GRC tooling 36:50 Final thoughts on doing more with less Learn more about Jack Rumsey:  https://www.linkedin.com/in/jack-rumsey-83303469/ Learn more about GRC Destroyer: https://grcdestroyer.substack.com Learn more abou Swimlane: https://swimlane.com Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/ Learn more about Paramify: https://www.paramify.com/ Chapters 00:00 Security teams are drowning 02:40 Scaling trust in public sector 06:10 Check-the-box isn’t cutting it 10:00 The promise of low-code automation 13:40 Swimlane’s mission and momentum 17:00 How to reduce alert fatigue 21:30 Integrating detection with compliance 26:15 CMMC and automation opportunities 30:00 Why orchestration needs flexibility 34:00 Future of GRC tooling 36:50 Final thoughts on doing more with less Learn more about Jack Rumsey:  https://www.linkedin.com/in/jack-rumsey-83303469/ Learn more about GRC Destroyer: https://grcdestroyer.substack.com Learn more abou Swimlane: https://swimlane.com Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/ Learn more about Paramify: https://www.paramify.com/

Security isn’t sexy. It’s laundry. You know you need to do it, but you’d rather have a tool do it for you. Kenny Scott and Mike Schreiner from Paramify sit down with George Manuelian from RapidFort to talk about freeing the captives — the engineers buried in spreadsheets, patch tickets, and compliance chaos. They cover:   Why security always seems at odds with progress   How automation can fix what boredom created   The giant washing machine for open source   Starting clean, staying clean, and why “7 million vulnerabilities” isn’t a vibe   FedRAMP, CMMC, and the art of not losing your mind in compliance   It’s the least boring conversation you’ll ever hear about vulnerabilities.

FedRAMP as we know it is changing. In this episode, Mike and Kenny sit down with Mike “Waffle” Craig, founder and CEO of Vanaheim Security and longtime cloud and cybersecurity leader, to unpack what FedRAMP 20x means for agencies and vendors across FedCiv and DoD. We get into compliance philosophy, how to define your boundary the right way, why sponsorship strategies matter, and where scalability will make or break 20x. Mike Craig shares hard-won lessons from incident response, multi-cloud ATOs, and advising startups so they don’t burn six or seven figures chasing the wrong path. What we cover:   • Why FedRAMP 20x signals the future of federal compliance   • Sponsorship realities, Ready pitfalls, and how small vendors survive   • Boundary, data flows, and “if you can’t draw it, you can’t secure it”   • Zero trust in practice and multi-zone risk profiles across stacks   • AI and LLM/RAG inside a FedRAMP world and change approval at scale   • JAB is gone, human variance is not, and how to navigate the psychology of yes   • CSFC as a model for defined stacks and what that could mean for AI patterns   • Practical diagramming tips and the surprising power of PowerPoint   • The “Waffle” origin story and a DoD “Beta Blocks” style experiment Guest: Learn more about Mike Craig: https://www.linkedin.com/in/michaelcraig26/ Learn more about Vanaheim Security: www.vanaheimsecurity.com Learn more about Paramify:  https://www.paramify.com/?utm_source=MikeCraig&utm_medium=Podcast&utm_campaign=Mikecraig&utm_id=Podcast&utm_term=podcast&utm_content=Mikecraig Exploring FedRAMP 20x, GovRAMP, FISMA, or CMMC and want a faster path to audit-ready deliverables and ConMon at scale? Talk to Paramify. We help teams get compliant and stay compliant 90% faster at a quarter of the cost. Timestamps / Chapters 0:00 — “FedRAMP as we know it” and the 20x future 1:42 — Welcome back to The Paramify Podcast (Mike & Kenny) 3:01 — Meet Mike “Waffle” Craig (Vanaheim Security) 4:04 — Hero’s journey: Air Force → cyber → IR → compliance 5:04 — “Cyber warfare” era and being the translator across teams 6:02 — Global regs, midnight IR, and burnout 7:04 — From IR to compliance architecture & multi-cloud ATOs 8:05 — Protecting small vendors from six–seven figure mistakes 9:11 — When compliance runway kills a program (DoD case) 11:03 — Waffle’s 0% abandonment rate and why it matters 11:14 — DoD “defense combine” experiment (Beta Blocks vibe) 13:41 — Operators, COs, entrepreneurs: fixing feedback loops 16:26 — Federal sponsorship 101 (pre-20x) and targeting wisely 18:16 — Two bad options for first-timers: sponsor vs. Ready gamble 21:02 — FedRAMP Ready pitfalls and the 12-month clock 22:08 — Cost realities (150k+ assessments) for small teams 22:44 — Why 20x changes the game (starting low, scaling up) 27:04 — Compliance philosophy: scope, boundaries, and frameworks 30:00 — “If you can’t draw it, you can’t secure it” (data flows) 31:04 — Hot take: PowerPoint is the best diagramming tool 33:39 — Prototype confession: Excel/Sheets and millennial ops 37:39 — 20x at scale: staffing, humans-in-the-loop, and risk 39:07 — Post-JAB reality: more variance, harder prediction 40:05 — LLM/RAG in FedRAMP: data sources & significant change 42:05 — Boundaries got harder—how to think about them 43:08 — Paramify’s CIA risk profile approach across stacks 47:01 — Corporate, dev, infosec, tech-ops: multi-zone modeling 49:05 — Knowing your data (AI makes the gap bigger, faster) 50:06 — Control weighting & psychology of “yes” 50:47 — NSA CSFC as a model for defined stacks 52:02 — Could FedRAMP define AI patterns? (playbook potential) 54:46 — Where to find Mike / Vanaheim Security 55:31 — Name jokes and close

“Once you’re in Hotel FedRAMP, you can’t leave.” Jason Oksenhendler, Cybersecurity Director of FedRAMP®/GovRAMP at Baker Tilly x Moss Adams, sits down with Kenny and Isaac to talk about FedRAMP’s past, how 20x is shaping the future, and why nobody ever really checks out of Hotel FedRAMP. 👉  Key Takeaways: • FedRAMP 20x was a “hand grenade” for everyone’s roadmap, and it’s already transforming compliance speed and evidence collection.  • Risk-first programs survive change — smart architecture and design decisions matter more than chasing checklists.  • Flexibility vs. rigor — 20X offers new freedom, but assessors must still enforce strong security.  • Collaboration wins — assessors and CSPs working together can turn impossible timelines into success. Learn more about Jason: https://www.linkedin.com/in/jason-oksenhendler/ Learn more about Baker Tilly x Moss Adams: https://www.bakertilly.com/ https://www.mossadams.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Isaac: https://www.linkedin.com/in/isaacteuscher/  Learn more about Paramify:  https://www.paramify.com/   Timestamps: 00:00 – Moss Adams x Paramify team-up Jason recounts how a shared client pushed both teams into the deep end of 20X, asking to include the auditors before Paramify even had an assessment portal built. 01:00 – Less than two-week deadline The group describes the chaos of spinning up a 20X package in record time, with Rob (the auditor) agreeing to figure things out alongside them. 01:44 – Submitting against moving targets Just as the package was ready to go, the final low 20X KSIs dropped — forcing last-minute changes and stress. 02:24 – Nature of FedRAMP change Jason compares FedRAMP shifts to “big boulders” coming at you, not “mousy” tweaks — change is always disruptive and massive. 02:56 – Success despite chaos Teams (Paramify, Flock, Baker Tilly) pulled it together, got the package in on time, and landed among the first four 20X submissions posted publicly. 03:07 – The reality check Jason: not everything in FedRAMP is “dillydallying” — clients, deadlines, and bills make delivery non-negotiable. 03:13 – Official podcast kickoff Kenny introduces the episode: Jason Oksenhendler (Baker Tilly, formerly Moss Adams), and Paramify’s “rising star” Isaac Teuscher. 04:01 – Jason’s career origin story From news anchor ➝ IT tech writer ➝ into FedRAMP (starting around NIST 800-53 Rev 2). 05:40 – First FedRAMP assignment Jason recalls his boss handing him a paper: “Go do FedRAMP.” He walks through early JAB/ISSO processes, feedback loops, and working with Matt Goodrich and Ashley Mahan. 11:43 – Co-creating the FedRAMP High Baseline Jason describes working with DoD’s Ron Rice to build the High Baseline from scratch. 13:00 – Early FedRAMP pain Microsoft Word & Excel “hell,” endless regurgitated control statements, and why some CSPs made assessors want to “bang their heads on the desk.” 15:32 – “You could do a Seinfeld routine on this crap.” Jason on version control disasters and 600-page SSP reviews without track changes. 17:30 – Culture shock of change Reactions to FedRAMP 20X mirror the same resistance to earlier shifts — but it’s always been “do once, use many.” 20:00 – Continuous monitoring reality Jason emphasizes executive buy-in as essential, recalling how ConMon and POA&Ms separate prepared orgs from overwhelmed ones. 22:50 – FedRAMP rigor vs. other frameworks Jason argues FedRAMP is among the toughest frameworks, on par with DoD IL4-6. 25:00 – 20X blows up the roadmap Kenny calls 20X a “hand grenade” for Paramify’s product plans. 29:00 – Cross-team collaboration Jason highlights how six strangers in a Slack channel worked seamlessly under pressure — “like a chocolate fountain.” 34:00 – 20X flexibility vs. rigor Jason explains the challenge of balancing new freedoms with maintaining strong security. 38:00 – Scaling 20X & future baselines Speculation about moderate and high 20X baselines and how CSPs will adapt. 46:00 – Tools then vs. now From CSAM, RSAM, and E-MASS to Paramify — Jason praises ease-of-use as critical to speed and quality. 49:30 – Lifelong learning FedRAMP’s ever-changing landscape keeps security careers fresh, like his days in broadcasting. 55:00 – “Get over it. This is the future.” Jason’s blunt advice on 20X: stop resisting change, go where the work is, and be all-in. 59:02 – Career lesson from a mentor Jason shares the Navy SEAL “my way, the right way, or the wrong way?” story — the moment that launched his assessment career. 1:02:04 – Closing Relationships last longer than frameworks; Kenny, Jason, and Isaac wrap up the episode.

In this episode of the Paramify Podcast, Karen Laughton, EVP of Advisory at Coalfire, joins Kenny Scott (CEO of Paramify) and Mike Schreiner to unpack the future of government cybersecurity and compliance modernization. From the hard realities of FedRAMP 20X to lessons learned from the early days of FSMA and CMMC confusion, this conversation pulls no punches. Karen shares how she broke into cybersecurity via HR (and a saltine-fueled CISSP exam), why automation without strategy won’t scale, and what it's going to take to make 20X work at moderate and high baselines. If you're curious where compliance, automation, AI, and public sector modernization are headed—you’ll want to tune in. ⏱️ Timestamps: 00:00 – "Dang, we need to modernize our government" — Karen's IRS nightmare becomes a metaphor for digital transformation. 02:44 – Meet Karen Laughton: Coalfire EVP, community leader, and accidental cyber exec. 03:35 – Saltines, pregnancy, and passing the CISSP: Karen’s origin story in cyber. 08:01 – AC-7 and the mouse jiggler: when coarse-grained controls meet real-world demos. 10:03 – FedRAMP in the early days: the “marathon in flip-flops” era of inconsistent TR feedback. 13:01 – The worst documentation nitpicks Karen’s ever seen (IP addresses and diagram chaos). 14:46 – FedRAMP then vs. now: why decentralization could hurt even as risk-focus improves. 17:28 – What scaling 20X to moderate and high will actually require. 20:03 – Are we solving the right problem with KSIs? Recapping Coalfire's “automation of arrested development” blog. 23:08 – Why automation isn’t a silver bullet (and why it still needs humans). 24:57 – 3PAOs aren't going anywhere — and that’s not just job security talk. 26:15 – Andrej Karpathy, robot soccer, and the early innings of AI assurance. 29:30 – Why agencies aren’t lining up to sponsor FedRAMP 20X. 31:08 – How Coalfire responded to 20X: culture, planning, and Compliance Essentials. 33:41 – Leveraging Paramify to accelerate automation where it makes sense. 36:42 – Politics, acquisitions, and why automation hits limits in complex orgs. 37:27 – DoD, CMMC, and 20X: where things stand and why there’s still confusion. 41:01 – The case for CMMC enclaves (and why most orgs want to isolate the mess). 42:00 – Mentorship, career pivots, and embracing “knowing nothing” as a superpower. 47:58 – Why questions make you smarter — and why cybersecurity people love answering them. 50:00 – Why cybersecurity never gets boring (and feels like a family reunion at every conference). 50:59 – Wrap-up & future part two tease. Learn more about Coalfire: https://coalfire.com/ Learn more about Karen Laughton: https://www.linkedin.com/in/karen-laughton-6484115/ Learn more about Paramify: https://www.paramify.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

It’s not only about faster authorizations—it’s about unlocking the full potential of modern cloud for government. FedRAMP 20X is how we get there. In this exclusive roundtable, Pete Waterman (FedRAMP Director), Karen Laughton (EVP of Advisory, CoalFire), Rob Otten (Sr. Director, Risk & Compliance, Flock Safety), Kenny Scott (Founder & CEO, Paramify), and Mike Schreiner (COO, Paramify) break down: - The mission, process & real impact of the 20X pilot - How Key Security Indicators (KSIs) make compliance faster & smarter - What Continuous ATO looks like in practice - Why agencies are holding the line—and what they actually want - The bold vision to transform FedRAMP from 50 authorizations a year… to 50 a week Timestamps: 0:00 – The Big Question Pete Waterman shares the spark: “What if we did 50 FedRAMP authorizations a week?” 1:56 – Welcome & Introductions Meet the panel: Pete Waterman, Karen Laughton, Rob Upton, Kenny Scott. 2:53 – Pilot Progress Update Pete dives into pilot metrics, early submissions, and success stories. 5:17 – Industry Perspective: CoalFire Karen Laughton shares lessons learned from advising CSPs and 3PAOs. 8:40 – CSP Perspective: Flock Safety + Paramify Rob & Kenny reveal how they rapidly pivoted into the pilot and delivered results in 2 weeks. 12:03 – Why It Worked Why KSIs resonated and how automation made it achievable. 14:22 – The Risk-Based Shift Security is about risk, not checklists. Kenny, Rob, and Pete riff on the deeper mindset change. 17:06 – ATO vs Authorization Pete clarifies the difference and why 20X is fixing the current barriers. 19:02 – The Good, The Bad, and the Fast Karen details what’s working well—and what’s still a mess (agency sponsorship, complex systems, DoD holdouts). 24:04 – Rob's Advice to CSPs Rob advocates a risk-first approach and common sense improvements. 25:48 – Breaking Outdated Rules Kenny rants about FIPS encryption requirements and why 20X could fix it. 27:07 – Agency Buy-In: Will They Accept 20X? Pete confirms: Yes. OMB and formal policy will mandate adoption. 36:40 – Continuous ATO in Practice What’s working, what’s confusing, and what the FedRAMP team is learning. 42:00 – The Integration Trap Kenny explains why black-box integrations don’t cut it—and what CSPs must do instead. 44:55 – End User Risk Responsibilities A critical callout: security breaches are often misconfigurations by users—not tech failures. 47:00 – Monitoring What Actually Matters Forget CVEs. Pete & Karen emphasize real-time config validation (e.g., MFA being disabled). 50:00 – Change Processes & CI/CD How continuous snapshots and CICD can coexist with security—without slowing innovation. 56:00 – Driving Innovation Through Standards Why 20X exists: to force the ecosystem to build what’s long been talked about but never delivered. 1:00:00 – Final Advice to CSPs Should you jump into 20X? Panelists give concrete guidance for startups, hyperscalers, and advisors. 1:06:04 – Reframing the Goal Pete closes with a powerful vision: delivering equal access to secure cloud tech for federal workers—faster, better, and at scale. Learn more about our guests:  Pete Waterman: https://www.linkedin.com/in/petewaterman/ FedRAMP: https://www.fedramp.gov/ Karen Laughton: https://www.linkedin.com/in/karen-laughton-6484115/ Coalfire: https://coalfire.com/ Rob Otten: https://www.linkedin.com/in/robertotten/  Flock Safety: https://www.flocksafety.com/ Learn more about Paramify:  Kenny Scott: https://www.linkedin.com/in/kenny-g-scott/ Mike Schreiner: https://www.linkedin.com/in/mikecschreiner/ Paramify: www.paramify.com Looking into FedRAMP or FedRAMP 20X? Lets' talk:  https://www.paramify.com/frameworks/fedramp

Today, we’re sitting down with StackArmor’s Martin Rieger — a FedRAMP veteran with over 300 engagements under his belt — for an unfiltered deep dive into the origin, evolution, and future of FedRAMP compliance. We cover everything from the early days of DIACAP and gold images to today’s world of automation, OSCAL, and AI-powered documentation. Martin shares war stories, explains why so many companies fail audits even with AI, and gives his take on where FedRAMP 20x is headed. Key takeaways - AI can't replace expertise: Using ChatGPT (or any AI) to generate FedRAMP documentation without human validation leads to failure—AI is a tool, not a replacement for expertise. - Right tools + right people = success: AI and automation can massively accelerate compliance work if handled by professionals who understand the frameworks deeply. - FedRAMP’s evolution: FedRAMP has matured from infrastructure-heavy beginnings to a focus on SaaS and cloud-native tools, with an increasing push toward automation and standards like OSCAL. - Common ATO pitfalls: Many companies underestimate the effort required for continuous monitoring (ConMon) and maintaining their ATO, mistakenly thinking the hardest part is getting authorized. - Martin: FedRAMP may move toward sponsor-less paths (like StateRAMP) for Low/Moderate baselines, and AI + OSCAL will likely reshape how security packages are created, validated, and shared. This episode is loaded with insights for anyone serious about federal cloud compliance. ⏱️ Timestamps: 04:10 – Martin’s early FedRAMP journey & Navy background 10:00 – DIACAP, early tools, and Excel-era compliance 16:35 – How Kenny and Martin met (NIST OSCAL event story) 25:00 – StackArmor’s shift from golden images to modern cloud 35:00 – The problem with AI-generated SSPs 43:30 – POAMs, audit problems, and compliance documentation 49:45 – FISMA vs. FedRAMP, ‘FISRamp’, and ATO inefficiencies 56:40 – Predictions: FedRAMP 20x, agency sponsorship & PMO 1:02:20 – The future of FedRAMP automation & OSCAL + AI 🔗 Learn more about StackArmor: https://stackarmor.com/ 👤Learn more about Martin Rieger: https://www.linkedin.com/in/martinrieger/ 🔗 Learn more about Paramify: https://www.paramify.com/?utm_medium=social 👤 Connect with Kenny: Kenny G. Scott: / https://www.linkedin.com/in/kenny-g-scott/ 👤 Connect with Mike: Mike Schreiner:  / https://www.linkedin.com/in/mikecschreiner/

Today we're sitting down with the Father of FedRAMP himself — Dave Fairburn Jr. — for a raw, detailed, and at times hilarious deep dive into the origin story, evolution, and future of the FedRAMP program. From 16-hour days and bureaucracy battles to 2,500-page documentation drafts reduced by weight tests (yes, really), Dave walks us through how the entire FedRAMP framework was created, challenged, and still, nearly 15 years later, hasn’t been "screwed up" (his words). This episode is packed with insider stories, lessons learned, and real talk about: Why the original FedRAMP design was JAB-only (no agency ATOs) How 3PAOs came to be — and the concern about quality today Why the “paperwork exercise” argument drives Dave crazy What Dave thinks about FedRAMP 20x, AI, OSCAL, automation, and PMO changes Predictions about what will (and won’t) change in the next 10 years Learn more about Dave Fairburn Jr.:   / %e2%98%81%ef%b8%8f-dave-fairburn-jr-cissp-...   🔗 Learn more about Paramify: https://www.paramify.com/?utm_medium=... 👤 Connect with Kenny: Kenny G. Scott:   / kenny-g-scott   👤 Connect with Mike: Mike Schreiner:   / mikecschreiner  

What do DC sneakers, HR-approved marriage advice, and compliance robots have in common? They’re all part of this episode as Kenny and Mike dive into the bold future of FedRAMP 20X — and why it’s finally time to fix the pain points for both private companies and government agencies. Here’s what they cover: - The (not) shift in risk ownership — why agencies have always owned the risk and the PMO will focus on standards - The myth of "set-it-and-forget-it" security — and the need for continuous monitoring - The problem with screenshot audits — and smarter ways to prove assurance - The role of auditors vs. automation — balancing trust and verification - Why developers don’t love security — and how to make it less painful - The future for faster authorizations, and why you shouldn't wait for the FedRAMP changes to happen to get FedRAMP Authorized. If you’ve ever yelled at your SSP or cried over a screenshot audit, this one’s for you. Sign up for the FedRAMP working groups here: https://www.fedramp.gov/20x/working-groups/ Learn more about Paramify here: https://www.paramify.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn about Mike: https://www.linkedin.com/in/mikecschreiner/

Today, we're pretending it's August 24, 2024, as Kenny and Mike sit down with Pete Waterman to talk about his backstory and what inspired him to apply to become the new FedRAMP Director.  Spoiler alert: we discuss frustration, bureaucracy, and a wild career move. Also these things: - Pete's Origin Story – Every hero has one. - Government Tech: Why Is It So Hard? – Bureaucracy, risk, and the myth of FISMA jail. - The Future of FedRAMP – Can it get faster?  - Motorcycles & Risk Management – How intercontinental motorcycle camping trips bring perspective. - Compliance Theater - "Can I get a screenshot of that?" This episode is equal parts insightful, hilarious, and maybe a little chaotic—just the way we like it. Learn more about Pete Waterman: https://www.linkedin.com/in/petewaterman/ Learn more about Paramify: https://www.paramify.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

Today Kenny and Mike are talking to the one and only Jason Ford, CEO & Founder of Steel Patriot Partners—a true FedRAMP guru who's been securing systems since digital transformation was still a baby. Jason shares his battle-tested strategies for navigating security audits, implementing encryption the right way, and avoiding common pitfalls that can delay your compliance efforts for months.   Here's what we're tackling in this episode: - "If You Can't Draw It, You Can't Secure It" – Why mapping your architecture is step one in cybersecurity. - FedRAMP High vs. Moderate – Why enterprises (not just government) are demanding higher security standards. - Encryption 101 – What's really required, and why some ciphers belong in the dumpster. - Privileged Access Done Right – No more random one-off permissions for Jeff! Use roles, not regrets. - The Future of Security Compliance – Automation, AI, and why FedRAMP is about to change everything.   If you're serious about building a security-first organization, tackling FedRAMP without losing your mind, or just figuring out how to keep your systems locked down like a fortress, this episode is for you.   Learn more about Paramify here: https://www.paramify.com/ Learn more about Steel Patriot Partners here: https://www.steelpatriotpartners.com/  

Getting started with risk management is easier than you think- and you don’t need fancy tools to do it.   In this episode, Kenny and Mike break down how a simple Google Sheet can be your secret weapon for designing a great security program. Whether you’re navigating FedRAMP, SOC 2, or ISO 27001, the key is just getting started—no expensive software required.   If you're a startup founder, security pro, or just compliance-curious, this episode is packed with easy, actionable steps to help you kick off your compliance journey—without breaking the bank.   Learn more about Paramify: https://www.paramify.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

Eric, the CISO at Federal Cyber Defense Solutions and former Chief FedRAMP Strategist at IBM and FedRAMP Leader at HP, shares his journey from growing up on a farm to becoming a CISO and FedRAMP expert. We dive into the challenges of FedRAMP compliance, the evolution of cybersecurity, and how today's security teams can strike the balance between technical expertise and meeting compliance demands. In this episode, we cover: - The real struggles of legacy tech and security controls - How cybersecurity careers have evolved—then vs. now - The shift toward security by design and the future of security operations - Advice for new cybersecurity professionals on breaking into the industry If you're interested in FedRAMP in 2025, compliance innovation, or cybersecurity career growth, this episode is a must-listen! Learn more about Eric here:  LinkedIn: https://www.linkedin.com/in/eadams2/ Learn more about Paramify:  https://www.paramify.com/ Learn more about Kenny:   Linkedin: https://www.linkedin.com/in/kenny-g-scott/  

Whether you’re launching a brand-new security program or fine-tuning your existing one, this episode has everything you need to know. Kenny and Mike are breaking down the 𝗰𝗼𝗻𝘁𝗿𝗼𝗹 𝗮𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗽𝗵𝗮𝘀𝗲𝘀 – why they matter and how they can transform your security processes. Here’s what’s on deck in this episode of The Paramify Podcast: - How to plan your security framework so it’s rock-solid from the start. - Common pitfalls in frameworks like FedRAMP (and how to avoid them, no trench runs required). - The importance of boundaries, collaboration, and a digital-first approach. - Real-world lessons (and Star Wars stories) for simplifying security challenges. 𝗟𝗶𝘀𝘁𝗲𝗻 𝗻𝗼𝘄 and learn how planning, assessing, and reporting can level up your risk management game.

We’ve heard you. We all want to know just how much it cost The Empire when the first Death Star was blown to oblivion by a young boy from Tatooine? How could the Empire let this happen? Kenny Scott and Mike Schreiner dive deep into risk management and cybersecurity—all through the lens of Star Wars. Kenny uses Star Wars analogies to break down key concepts like: • 𝗔𝘀𝘀𝗲𝘁𝘀  (Death Stars) • 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀  (Thermal Exhaust Ports) • 𝗧𝗵𝗿𝗲𝗮𝘁𝘀 (X-wings) • 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝘀 (Force fields, turrets, the Dark Side and Darth Vader) • 𝗥𝗶𝘀𝗸 𝗧𝗿𝗲𝗮𝘁𝗺𝗲𝗻𝘁 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗲𝘀:      • 𝗠𝗶𝘁𝗶𝗴𝗮𝘁𝗲 all by yourself      • 𝗦𝗵𝗮𝗿𝗲 risk like pizza      • 𝗧𝗿𝗮𝗻𝘀𝗳𝗲𝗿 it to some do-gooder      • 𝗔𝗰𝗰𝗲𝗽𝘁 the risk (aka, just flat out ignore it)      • 𝗔𝘃𝗼𝗶𝗱 the risk it cuz you’re just too scared. Whether you're looking to build a risk management program OR just geek out over Star Wars references, this episode has something for you.

Today we’re talking to Tony Bai. He’s got 25 years of experience in cyber defense and operations, Tony Bai serves as the Chief Solutions Officer at RISCPoint. A United States Air Force veteran and lots of leadership experience at leading consulting organizations. Tony specializes in FedRAMP, CMMC and other NIST frameworks and is a leading voice on their latest developments that seem to be pretty intense these days. This is a great episode!   Learn more about Tony Bai: https://www.linkedin.com/in/williamtbai/   Learn more about RISCPoint: RISCPoint is an industry-leading management consulting firm, specializing in cybersecurity, compliance, and risk management, providing both strategy and tactical implementation. Our founding vision is a seamless integration with your team, focusing on creating impactful solutions to help you achieve your objectives. https://www.riscpoint.com/ https://www.riscpoint.com/services/public-sector https://www.riscpoint.com/contact   Learn more about Kenny Scott: https://www.linkedin.com/in/kenny-g-scott/   Learn more about Paramify: https://www.paramify.com/

We're talking with Mandy Andress, Chief Information Security Officer (CISO) at Elastic. Mandy is making a huge impact in the security industry as the author of Surviving Security: How to Integrate People, Process, and Technology, a Top 100 CISO (C100) Award recipient, and a LinkedIn Top Voice. Her leadership goes well beyond her role as CISO – she's also a trusted advisor to many organizations, a frequent speaker at global conferences like BlackHat and Networld + Interop, and a driving force behind Elastic's IPO success. Learn more about Mandy Andress: Mandy's Linkedin: https://www.linkedin.com/in/mandyandress/ Learn more about Elastic: Elastic's Website: https://www.elastic.co/ Learn more about Kenny Scott: Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Paramify: Paramify's website: https://www.paramify.com/

Today, we’re honored to have Michael Carter on the show! Michael is the Managing Partner and Co-founder of Fortreum. Michael brings over two decades of expertise in cybersecurity and compliance, specializing in FedRAMP, FISMA, PCI, and more. He has held key leadership roles at Coalfire and Veris Group, shaping compliance strategies for top organizations across both government and commercial sectors. Michael’s deep insights into security and risk management make him a leading voice in the industry. Learn more about Michael Carter: / carte2ms Learn more about Fortreum: https://fortreum.com/ Learn more about Kenny Scott: / kenny-g-scott Learn more about Paramify: https://www.paramify.com/