#45 - The Evolution of FedRAMP and FedRAMP 20x with Jason Oksenhendler

“Once you’re in Hotel FedRAMP, you can’t leave.”

Jason Oksenhendler, Cybersecurity Director of FedRAMP®/GovRAMP at Baker Tilly x Moss Adams, sits down with Kenny and Isaac to talk about FedRAMP’s past, how 20x is shaping the future, and why nobody ever really checks out of Hotel FedRAMP.

👉  Key Takeaways:

• FedRAMP 20x was a “hand grenade” for everyone’s roadmap, and it’s already transforming compliance speed and evidence collection.

 • Risk-first programs survive change — smart architecture and design decisions matter more than chasing checklists.

 • Flexibility vs. rigor — 20X offers new freedom, but assessors must still enforce strong security.

 • Collaboration wins — assessors and CSPs working together can turn impossible timelines into success.

Learn more about Jason:

https://www.linkedin.com/in/jason-oksenhendler/

Learn more about Baker Tilly x Moss Adams:

https://www.bakertilly.com/

https://www.mossadams.com/

Learn more about Kenny:

https://www.linkedin.com/in/kenny-g-scott/

Learn more about Isaac:

https://www.linkedin.com/in/isaacteuscher/ 

Learn more about Paramify: 

https://www.paramify.com/

 

Timestamps:

00:00 – Moss Adams x Paramify team-up
Jason recounts how a shared client pushed both teams into the deep end of 20X, asking to include the auditors before Paramify even had an assessment portal built.

01:00 – Less than two-week deadline
The group describes the chaos of spinning up a 20X package in record time, with Rob (the auditor) agreeing to figure things out alongside them.

01:44 – Submitting against moving targets
Just as the package was ready to go, the final low 20X KSIs dropped — forcing last-minute changes and stress.

02:24 – Nature of FedRAMP change
Jason compares FedRAMP shifts to “big boulders” coming at you, not “mousy” tweaks — change is always disruptive and massive.

02:56 – Success despite chaos
Teams (Paramify, Flock, Baker Tilly) pulled it together, got the package in on time, and landed among the first four 20X submissions posted publicly.

03:07 – The reality check
Jason: not everything in FedRAMP is “dillydallying” — clients, deadlines, and bills make delivery non-negotiable.

03:13 – Official podcast kickoff
Kenny introduces the episode: Jason Oksenhendler (Baker Tilly, formerly Moss Adams), and Paramify’s “rising star” Isaac Teuscher.

04:01 – Jason’s career origin story
From news anchor ➝ IT tech writer ➝ into FedRAMP (starting around NIST 800-53 Rev 2).

05:40 – First FedRAMP assignment
Jason recalls his boss handing him a paper: “Go do FedRAMP.” He walks through early JAB/ISSO processes, feedback loops, and working with Matt Goodrich and Ashley Mahan.

11:43 – Co-creating the FedRAMP High Baseline
Jason describes working with DoD’s Ron Rice to build the High Baseline from scratch.

13:00 – Early FedRAMP pain
Microsoft Word & Excel “hell,” endless regurgitated control statements, and why some CSPs made assessors want to “bang their heads on the desk.”

15:32 – “You could do a Seinfeld routine on this crap.”
Jason on version control disasters and 600-page SSP reviews without track changes.

17:30 – Culture shock of change
Reactions to FedRAMP 20X mirror the same resistance to earlier shifts — but it’s always been “do once, use many.”

20:00 – Continuous monitoring reality
Jason emphasizes executive buy-in as essential, recalling how ConMon and POA&Ms separate prepared orgs from overwhelmed ones.

22:50 – FedRAMP rigor vs. other frameworks
Jason argues FedRAMP is among the toughest frameworks, on par with DoD IL4-6.

25:00 – 20X blows up the roadmap
Kenny calls 20X a “hand grenade” for Paramify’s product plans.

29:00 – Cross-team collaboration
Jason highlights how six strangers in a Slack channel worked seamlessly under pressure — “like a chocolate fountain.”

34:00 – 20X flexibility vs. rigor
Jason explains the challenge of balancing new freedoms with maintaining strong security.

38:00 – Scaling 20X & future baselines
Speculation about moderate and high 20X baselines and how CSPs will adapt.

46:00 – Tools then vs. now
From CSAM, RSAM, and E-MASS to Paramify — Jason praises ease-of-use as critical to speed and quality.

49:30 – Lifelong learning
FedRAMP’s ever-changing landscape keeps security careers fresh, like his days in broadcasting.

55:00 – “Get over it. This is the future.”
Jason’s blunt advice on 20X: stop resisting change, go where the work is, and be all-in.

59:02 – Career lesson from a mentor
Jason shares the Navy SEAL “my way, the right way, or the wrong way?” story — the moment that launched his assessment career.

1:02:04 – Closing
Relationships last longer than frameworks; Kenny, Jason, and Isaac wrap up the episode.