The Paramify Podcast

Today we're sitting down with the Father of FedRAMP himself — Dave Fairburn Jr. — for a raw, detailed, and at times hilarious deep dive into the origin story, evolution, and future of the FedRAMP program. From 16-hour days and bureaucracy battles to 2,500-page documentation drafts reduced by weight tests (yes, really), Dave walks us through how the entire FedRAMP framework was created, challenged, and still, nearly 15 years later, hasn’t been "screwed up" (his words). This episode is packed with insider stories, lessons learned, and real talk about:
Why the original FedRAMP design was JAB-only (no agency ATOs)
How 3PAOs came to be — and the concern about quality today
Why the “paperwork exercise” argument drives Dave crazy
What Dave thinks about FedRAMP 20x, AI, OSCAL, automation, and PMO changes
Predictions about what will (and won’t) change in the next 10 years
Learn more about Dave Fairburn Jr.:   / %e2%98%81%ef%b8%8f-dave-fairburn-jr-cissp-...   🔗 Learn more about Paramify: https://www.paramify.com/?utm_medium=... 👤 Connect with Kenny: Kenny G. Scott:   / kenny-g-scott   👤 Connect with Mike: Mike Schreiner:   / mikecschreiner  

What do DC sneakers, HR-approved marriage advice, and compliance robots have in common? They’re all part of this episode as Kenny and Mike dive into the bold future of FedRAMP 20X — and why it’s finally time to fix the pain points for both private companies and government agencies.
Here’s what they cover:
- The (not) shift in risk ownership — why agencies have always owned the risk and the PMO will focus on standards
- The myth of "set-it-and-forget-it" security — and the need for continuous monitoring
- The problem with screenshot audits — and smarter ways to prove assurance
- The role of auditors vs. automation — balancing trust and verification
- Why developers don’t love security — and how to make it less painful
- The future for faster authorizations, and why you shouldn't wait for the FedRAMP changes to happen to get FedRAMP Authorized.
If you’ve ever yelled at your SSP or cried over a screenshot audit, this one’s for you.
Sign up for the FedRAMP working groups here:https://www.fedramp.gov/20x/working-groups/
Learn more about Paramify here: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn about Mike: https://www.linkedin.com/in/mikecschreiner/

Today, we're pretending it's August 24, 2024, as Kenny and Mike sit down with Pete Waterman to talk about his backstory and what inspired him to apply to become the new FedRAMP Director. 
Spoiler alert: we discuss frustration, bureaucracy, and a wild career move. Also these things:
- Pete's Origin Story – Every hero has one.- Government Tech: Why Is It So Hard? – Bureaucracy, risk, and the myth of FISMA jail.- The Future of FedRAMP – Can it get faster? - Motorcycles & Risk Management – How intercontinental motorcycle camping trips bring perspective.- Compliance Theater - "Can I get a screenshot of that?"
This episode is equal parts insightful, hilarious, and maybe a little chaotic—just the way we like it.
Learn more about Pete Waterman: https://www.linkedin.com/in/petewaterman/
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

Today Kenny and Mike are talking to the one and only Jason Ford, CEO & Founder of Steel Patriot Partners—a true FedRAMP guru who's been securing systems since digital transformation was still a baby. Jason shares his battle-tested strategies for navigating security audits, implementing encryption the right way, and avoiding common pitfalls that can delay your compliance efforts for months.
 
Here's what we're tackling in this episode:
- "If You Can't Draw It, You Can't Secure It" – Why mapping your architecture is step one in cybersecurity.
- FedRAMP High vs. Moderate – Why enterprises (not just government) are demanding higher security standards.
- Encryption 101 – What's really required, and why some ciphers belong in the dumpster.
- Privileged Access Done Right – No more random one-off permissions for Jeff! Use roles, not regrets.
- The Future of Security Compliance – Automation, AI, and why FedRAMP is about to change everything.
 
If you're serious about building a security-first organization, tackling FedRAMP without losing your mind, or just figuring out how to keep your systems locked down like a fortress, this episode is for you.
 
Learn more about Paramify here: https://www.paramify.com/
Learn more about Steel Patriot Partners here: https://www.steelpatriotpartners.com/
 

Getting started with risk management is easier than you think- and you don’t need fancy tools to do it.
 
In this episode, Kenny and Mike break down how a simple Google Sheet can be your secret weapon for designing a great security program. Whether you’re navigating FedRAMP, SOC 2, or ISO 27001, the key is just getting started—no expensive software required.
 
If you're a startup founder, security pro, or just compliance-curious, this episode is packed with easy, actionable steps to help you kick off your compliance journey—without breaking the bank.
 
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/

Eric, the CISO at Federal Cyber Defense Solutions and former Chief FedRAMP Strategist at IBM and FedRAMP Leader at HP, shares his journey from growing up on a farm to becoming a CISO and FedRAMP expert. We dive into the challenges of FedRAMP compliance, the evolution of cybersecurity, and how today's security teams can strike the balance between technical expertise and meeting compliance demands.
In this episode, we cover:- The real struggles of legacy tech and security controls- How cybersecurity careers have evolved—then vs. now- The shift toward security by design and the future of security operations- Advice for new cybersecurity professionals on breaking into the industry
If you're interested in FedRAMP in 2025, compliance innovation, or cybersecurity career growth, this episode is a must-listen!
Learn more about Eric here: LinkedIn: https://www.linkedin.com/in/eadams2/
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny:  Linkedin: https://www.linkedin.com/in/kenny-g-scott/
 

Whether you’re launching a brand-new security program or fine-tuning your existing one, this episode has everything you need to know.
Kenny and Mike are breaking down the 𝗰𝗼𝗻𝘁𝗿𝗼𝗹 𝗮𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗽𝗵𝗮𝘀𝗲𝘀 – why they matter and how they can transform your security processes.
Here’s what’s on deck in this episode of The Paramify Podcast:- How to plan your security framework so it’s rock-solid from the start.- Common pitfalls in frameworks like FedRAMP (and how to avoid them, no trench runs required).- The importance of boundaries, collaboration, and a digital-first approach.- Real-world lessons (and Star Wars stories) for simplifying security challenges.
𝗟𝗶𝘀𝘁𝗲𝗻 𝗻𝗼𝘄 and learn how planning, assessing, and reporting can level up your risk management game.

We’ve heard you. We all want to know just how much it cost The Empire when the first Death Star was blown to oblivion by a young boy from Tatooine? How could the Empire let this happen?
Kenny Scott and Mike Schreiner dive deep into risk management and cybersecurity—all through the lens of Star Wars.
Kenny uses Star Wars analogies to break down key concepts like:• 𝗔𝘀𝘀𝗲𝘁𝘀  (Death Stars)• 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀  (Thermal Exhaust Ports)• 𝗧𝗵𝗿𝗲𝗮𝘁𝘀 (X-wings)• 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝘀 (Force fields, turrets, the Dark Side and Darth Vader)• 𝗥𝗶𝘀𝗸 𝗧𝗿𝗲𝗮𝘁𝗺𝗲𝗻𝘁 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗲𝘀:     • 𝗠𝗶𝘁𝗶𝗴𝗮𝘁𝗲 all by yourself     • 𝗦𝗵𝗮𝗿𝗲 risk like pizza     • 𝗧𝗿𝗮𝗻𝘀𝗳𝗲𝗿 it to some do-gooder     • 𝗔𝗰𝗰𝗲𝗽𝘁 the risk (aka, just flat out ignore it)     • 𝗔𝘃𝗼𝗶𝗱 the risk it cuz you’re just too scared.
Whether you're looking to build a risk management program OR just geek out over Star Wars references, this episode has something for you.

Today we’re talking to Tony Bai. He’s got 25 years of experience in cyber defense and operations, Tony Bai serves as the Chief Solutions Officer at RISCPoint. A United States Air Force veteran and lots of leadership experience at leading consulting organizations. Tony specializes in FedRAMP, CMMC and other NIST frameworks and is a leading voice on their latest developments that seem to be pretty intense these days. This is a great episode!
 
Learn more about Tony Bai:
https://www.linkedin.com/in/williamtbai/
 
Learn more about RISCPoint:
RISCPoint is an industry-leading management consulting firm, specializing in cybersecurity, compliance, and risk management, providing both strategy and tactical implementation. Our founding vision is a seamless integration with your team, focusing on creating impactful solutions to help you achieve your objectives.
https://www.riscpoint.com/ https://www.riscpoint.com/services/public-sector
https://www.riscpoint.com/contact
 
Learn more about Kenny Scott:
https://www.linkedin.com/in/kenny-g-scott/
 
Learn more about Paramify:
https://www.paramify.com/

We're talking with Mandy Andress, Chief Information Security Officer (CISO) at Elastic. Mandy is making a huge impact in the security industry as the author of Surviving Security: How to Integrate People, Process, and Technology, a Top 100 CISO (C100) Award recipient, and a LinkedIn Top Voice. Her leadership goes well beyond her role as CISO – she's also a trusted advisor to many organizations, a frequent speaker at global conferences like BlackHat and Networld + Interop, and a driving force behind Elastic's IPO success.
Learn more about Mandy Andress:Mandy's Linkedin: https://www.linkedin.com/in/mandyandress/
Learn more about Elastic:Elastic's Website: https://www.elastic.co/
Learn more about Kenny Scott:Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Paramify:Paramify's website: https://www.paramify.com/