The Paramify Podcast

In this episode of the Paramify Podcast, Karen Laughton, EVP of Advisory at Coalfire, joins Kenny Scott (CEO of Paramify) and Mike Schreiner to unpack the future of government cybersecurity and compliance modernization. From the hard realities of FedRAMP 20X to lessons learned from the early days of FSMA and CMMC confusion, this conversation pulls no punches.
Karen shares how she broke into cybersecurity via HR (and a saltine-fueled CISSP exam), why automation without strategy won’t scale, and what it's going to take to make 20X work at moderate and high baselines. If you're curious where compliance, automation, AI, and public sector modernization are headed—you’ll want to tune in.
⏱️ Timestamps:00:00 – "Dang, we need to modernize our government" — Karen's IRS nightmare becomes a metaphor for digital transformation.
02:44 – Meet Karen Laughton: Coalfire EVP, community leader, and accidental cyber exec.
03:35 – Saltines, pregnancy, and passing the CISSP: Karen’s origin story in cyber.
08:01 – AC-7 and the mouse jiggler: when coarse-grained controls meet real-world demos.
10:03 – FedRAMP in the early days: the “marathon in flip-flops” era of inconsistent TR feedback.
13:01 – The worst documentation nitpicks Karen’s ever seen (IP addresses and diagram chaos).
14:46 – FedRAMP then vs. now: why decentralization could hurt even as risk-focus improves.
17:28 – What scaling 20X to moderate and high will actually require.
20:03 – Are we solving the right problem with KSIs? Recapping Coalfire's “automation of arrested development” blog.
23:08 – Why automation isn’t a silver bullet (and why it still needs humans).
24:57 – 3PAOs aren't going anywhere — and that’s not just job security talk.
26:15 – Andrej Karpathy, robot soccer, and the early innings of AI assurance.
29:30 – Why agencies aren’t lining up to sponsor FedRAMP 20X.
31:08 – How Coalfire responded to 20X: culture, planning, and Compliance Essentials.
33:41 – Leveraging Paramify to accelerate automation where it makes sense.
36:42 – Politics, acquisitions, and why automation hits limits in complex orgs.
37:27 – DoD, CMMC, and 20X: where things stand and why there’s still confusion.
41:01 – The case for CMMC enclaves (and why most orgs want to isolate the mess).
42:00 – Mentorship, career pivots, and embracing “knowing nothing” as a superpower.
47:58 – Why questions make you smarter — and why cybersecurity people love answering them.
50:00 – Why cybersecurity never gets boring (and feels like a family reunion at every conference).
50:59 – Wrap-up & future part two tease.
Learn more about Coalfire: https://coalfire.com/Learn more about Karen Laughton: https://www.linkedin.com/in/karen-laughton-6484115/
Learn more about Paramify: https://www.paramify.com/Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

It’s not only about faster authorizations—it’s about unlocking the full potential of modern cloud for government.
FedRAMP 20X is how we get there.
In this exclusive roundtable, Pete Waterman (FedRAMP Director), Karen Laughton (EVP of Advisory, CoalFire), Rob Otten (Sr. Director, Risk & Compliance, Flock Safety), Kenny Scott (Founder & CEO, Paramify), and Mike Schreiner (COO, Paramify) break down:
- The mission, process & real impact of the 20X pilot
- How Key Security Indicators (KSIs) make compliance faster & smarter
- What Continuous ATO looks like in practice
- Why agencies are holding the line—and what they actually want
- The bold vision to transform FedRAMP from 50 authorizations a year… to 50 a week
Timestamps:0:00 – The Big QuestionPete Waterman shares the spark: “What if we did 50 FedRAMP authorizations a week?”
1:56 – Welcome & IntroductionsMeet the panel: Pete Waterman, Karen Laughton, Rob Upton, Kenny Scott.
2:53 – Pilot Progress UpdatePete dives into pilot metrics, early submissions, and success stories.
5:17 – Industry Perspective: CoalFireKaren Laughton shares lessons learned from advising CSPs and 3PAOs.
8:40 – CSP Perspective: Flock Safety + ParamifyRob & Kenny reveal how they rapidly pivoted into the pilot and delivered results in 2 weeks.
12:03 – Why It WorkedWhy KSIs resonated and how automation made it achievable.
14:22 – The Risk-Based ShiftSecurity is about risk, not checklists. Kenny, Rob, and Pete riff on the deeper mindset change.
17:06 – ATO vs AuthorizationPete clarifies the difference and why 20X is fixing the current barriers.
19:02 – The Good, The Bad, and the FastKaren details what’s working well—and what’s still a mess (agency sponsorship, complex systems, DoD holdouts).
24:04 – Rob's Advice to CSPsRob advocates a risk-first approach and common sense improvements.
25:48 – Breaking Outdated RulesKenny rants about FIPS encryption requirements and why 20X could fix it.
27:07 – Agency Buy-In: Will They Accept 20X?Pete confirms: Yes. OMB and formal policy will mandate adoption.
36:40 – Continuous ATO in PracticeWhat’s working, what’s confusing, and what the FedRAMP team is learning.
42:00 – The Integration TrapKenny explains why black-box integrations don’t cut it—and what CSPs must do instead.
44:55 – End User Risk ResponsibilitiesA critical callout: security breaches are often misconfigurations by users—not tech failures.
47:00 – Monitoring What Actually MattersForget CVEs. Pete & Karen emphasize real-time config validation (e.g., MFA being disabled).
50:00 – Change Processes & CI/CDHow continuous snapshots and CICD can coexist with security—without slowing innovation.
56:00 – Driving Innovation Through StandardsWhy 20X exists: to force the ecosystem to build what’s long been talked about but never delivered.
1:00:00 – Final Advice to CSPsShould you jump into 20X? Panelists give concrete guidance for startups, hyperscalers, and advisors.
1:06:04 – Reframing the GoalPete closes with a powerful vision: delivering equal access to secure cloud tech for federal workers—faster, better, and at scale.
Learn more about our guests: 
Pete Waterman: https://www.linkedin.com/in/petewaterman/FedRAMP: https://www.fedramp.gov/
Karen Laughton: https://www.linkedin.com/in/karen-laughton-6484115/Coalfire: https://coalfire.com/
Rob Otten: https://www.linkedin.com/in/robertotten/ Flock Safety: https://www.flocksafety.com/
Learn more about Paramify: Kenny Scott: https://www.linkedin.com/in/kenny-g-scott/Mike Schreiner: https://www.linkedin.com/in/mikecschreiner/Paramify: www.paramify.com
Looking into FedRAMP or FedRAMP 20X? Lets' talk:  https://www.paramify.com/frameworks/fedramp

Today, we’re sitting down with StackArmor’s Martin Rieger — a FedRAMP veteran with over 300 engagements under his belt — for an unfiltered deep dive into the origin, evolution, and future of FedRAMP compliance.
We cover everything from the early days of DIACAP and gold images to today’s world of automation, OSCAL, and AI-powered documentation. Martin shares war stories, explains why so many companies fail audits even with AI, and gives his take on where FedRAMP 20x is headed.
Key takeaways- AI can't replace expertise: Using ChatGPT (or any AI) to generate FedRAMP documentation without human validation leads to failure—AI is a tool, not a replacement for expertise.
- Right tools + right people = success: AI and automation can massively accelerate compliance work if handled by professionals who understand the frameworks deeply.
- FedRAMP’s evolution: FedRAMP has matured from infrastructure-heavy beginnings to a focus on SaaS and cloud-native tools, with an increasing push toward automation and standards like OSCAL.
- Common ATO pitfalls: Many companies underestimate the effort required for continuous monitoring (ConMon) and maintaining their ATO, mistakenly thinking the hardest part is getting authorized.
- Martin: FedRAMP may move toward sponsor-less paths (like StateRAMP) for Low/Moderate baselines, and AI + OSCAL will likely reshape how security packages are created, validated, and shared.
This episode is loaded with insights for anyone serious about federal cloud compliance.
⏱️ Timestamps:04:10 – Martin’s early FedRAMP journey & Navy background10:00 – DIACAP, early tools, and Excel-era compliance16:35 – How Kenny and Martin met (NIST OSCAL event story)25:00 – StackArmor’s shift from golden images to modern cloud35:00 – The problem with AI-generated SSPs43:30 – POAMs, audit problems, and compliance documentation49:45 – FISMA vs. FedRAMP, ‘FISRamp’, and ATO inefficiencies56:40 – Predictions: FedRAMP 20x, agency sponsorship & PMO1:02:20 – The future of FedRAMP automation & OSCAL + AI
🔗 Learn more about StackArmor: https://stackarmor.com/👤Learn more about Martin Rieger: https://www.linkedin.com/in/martinrieger/
🔗 Learn more about Paramify: https://www.paramify.com/?utm_medium=social👤 Connect with Kenny: Kenny G. Scott: / https://www.linkedin.com/in/kenny-g-scott/👤 Connect with Mike: Mike Schreiner:  / https://www.linkedin.com/in/mikecschreiner/

Today we're sitting down with the Father of FedRAMP himself — Dave Fairburn Jr. — for a raw, detailed, and at times hilarious deep dive into the origin story, evolution, and future of the FedRAMP program. From 16-hour days and bureaucracy battles to 2,500-page documentation drafts reduced by weight tests (yes, really), Dave walks us through how the entire FedRAMP framework was created, challenged, and still, nearly 15 years later, hasn’t been "screwed up" (his words). This episode is packed with insider stories, lessons learned, and real talk about:
Why the original FedRAMP design was JAB-only (no agency ATOs)
How 3PAOs came to be — and the concern about quality today
Why the “paperwork exercise” argument drives Dave crazy
What Dave thinks about FedRAMP 20x, AI, OSCAL, automation, and PMO changes
Predictions about what will (and won’t) change in the next 10 years
Learn more about Dave Fairburn Jr.:   / %e2%98%81%ef%b8%8f-dave-fairburn-jr-cissp-...   🔗 Learn more about Paramify: https://www.paramify.com/?utm_medium=... 👤 Connect with Kenny: Kenny G. Scott:   / kenny-g-scott   👤 Connect with Mike: Mike Schreiner:   / mikecschreiner  

What do DC sneakers, HR-approved marriage advice, and compliance robots have in common? They’re all part of this episode as Kenny and Mike dive into the bold future of FedRAMP 20X — and why it’s finally time to fix the pain points for both private companies and government agencies.
Here’s what they cover:
- The (not) shift in risk ownership — why agencies have always owned the risk and the PMO will focus on standards
- The myth of "set-it-and-forget-it" security — and the need for continuous monitoring
- The problem with screenshot audits — and smarter ways to prove assurance
- The role of auditors vs. automation — balancing trust and verification
- Why developers don’t love security — and how to make it less painful
- The future for faster authorizations, and why you shouldn't wait for the FedRAMP changes to happen to get FedRAMP Authorized.
If you’ve ever yelled at your SSP or cried over a screenshot audit, this one’s for you.
Sign up for the FedRAMP working groups here:https://www.fedramp.gov/20x/working-groups/
Learn more about Paramify here: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn about Mike: https://www.linkedin.com/in/mikecschreiner/

Today, we're pretending it's August 24, 2024, as Kenny and Mike sit down with Pete Waterman to talk about his backstory and what inspired him to apply to become the new FedRAMP Director. 
Spoiler alert: we discuss frustration, bureaucracy, and a wild career move. Also these things:
- Pete's Origin Story – Every hero has one.- Government Tech: Why Is It So Hard? – Bureaucracy, risk, and the myth of FISMA jail.- The Future of FedRAMP – Can it get faster? - Motorcycles & Risk Management – How intercontinental motorcycle camping trips bring perspective.- Compliance Theater - "Can I get a screenshot of that?"
This episode is equal parts insightful, hilarious, and maybe a little chaotic—just the way we like it.
Learn more about Pete Waterman: https://www.linkedin.com/in/petewaterman/
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

Today Kenny and Mike are talking to the one and only Jason Ford, CEO & Founder of Steel Patriot Partners—a true FedRAMP guru who's been securing systems since digital transformation was still a baby. Jason shares his battle-tested strategies for navigating security audits, implementing encryption the right way, and avoiding common pitfalls that can delay your compliance efforts for months.
 
Here's what we're tackling in this episode:
- "If You Can't Draw It, You Can't Secure It" – Why mapping your architecture is step one in cybersecurity.
- FedRAMP High vs. Moderate – Why enterprises (not just government) are demanding higher security standards.
- Encryption 101 – What's really required, and why some ciphers belong in the dumpster.
- Privileged Access Done Right – No more random one-off permissions for Jeff! Use roles, not regrets.
- The Future of Security Compliance – Automation, AI, and why FedRAMP is about to change everything.
 
If you're serious about building a security-first organization, tackling FedRAMP without losing your mind, or just figuring out how to keep your systems locked down like a fortress, this episode is for you.
 
Learn more about Paramify here: https://www.paramify.com/
Learn more about Steel Patriot Partners here: https://www.steelpatriotpartners.com/
 

Getting started with risk management is easier than you think- and you don’t need fancy tools to do it.
 
In this episode, Kenny and Mike break down how a simple Google Sheet can be your secret weapon for designing a great security program. Whether you’re navigating FedRAMP, SOC 2, or ISO 27001, the key is just getting started—no expensive software required.
 
If you're a startup founder, security pro, or just compliance-curious, this episode is packed with easy, actionable steps to help you kick off your compliance journey—without breaking the bank.
 
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

Eric, the CISO at Federal Cyber Defense Solutions and former Chief FedRAMP Strategist at IBM and FedRAMP Leader at HP, shares his journey from growing up on a farm to becoming a CISO and FedRAMP expert. We dive into the challenges of FedRAMP compliance, the evolution of cybersecurity, and how today's security teams can strike the balance between technical expertise and meeting compliance demands.
In this episode, we cover:- The real struggles of legacy tech and security controls- How cybersecurity careers have evolved—then vs. now- The shift toward security by design and the future of security operations- Advice for new cybersecurity professionals on breaking into the industry
If you're interested in FedRAMP in 2025, compliance innovation, or cybersecurity career growth, this episode is a must-listen!
Learn more about Eric here: LinkedIn: https://www.linkedin.com/in/eadams2/
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny:  Linkedin: https://www.linkedin.com/in/kenny-g-scott/
 

Whether you’re launching a brand-new security program or fine-tuning your existing one, this episode has everything you need to know.
Kenny and Mike are breaking down the 𝗰𝗼𝗻𝘁𝗿𝗼𝗹 𝗮𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗽𝗵𝗮𝘀𝗲𝘀 – why they matter and how they can transform your security processes.
Here’s what’s on deck in this episode of The Paramify Podcast:- How to plan your security framework so it’s rock-solid from the start.- Common pitfalls in frameworks like FedRAMP (and how to avoid them, no trench runs required).- The importance of boundaries, collaboration, and a digital-first approach.- Real-world lessons (and Star Wars stories) for simplifying security challenges.
𝗟𝗶𝘀𝘁𝗲𝗻 𝗻𝗼𝘄 and learn how planning, assessing, and reporting can level up your risk management game.