Episodes
-
Today we're sitting down with the Father of FedRAMP himself — Dave Fairburn Jr. — for a raw, detailed, and at times hilarious deep dive into the origin story, evolution, and future of the FedRAMP program. From 16-hour days and bureaucracy battles to 2,500-page documentation drafts reduced by weight tests (yes, really), Dave walks us through how the entire FedRAMP framework was created, challenged, and still, nearly 15 years later, hasn’t been "screwed up" (his words). This episode is packed with insider stories, lessons learned, and real talk about:
Why the original FedRAMP design was JAB-only (no agency ATOs) How 3PAOs came to be — and the concern about quality today Why the “paperwork exercise” argument drives Dave crazy What Dave thinks about FedRAMP 20x, AI, OSCAL, automation, and PMO changesPredictions about what will (and won’t) change in the next 10 yearsLearn more about Dave Fairburn Jr.: / %e2%98%81%ef%b8%8f-dave-fairburn-jr-cissp-... 🔗 Learn more about Paramify: https://www.paramify.com/?utm_medium=... 👤 Connect with Kenny: Kenny G. Scott: / kenny-g-scott 👤 Connect with Mike: Mike Schreiner: / mikecschreiner
-
What do DC sneakers, HR-approved marriage advice, and compliance robots have in common? They’re all part of this episode as Kenny and Mike dive into the bold future of FedRAMP 20X — and why it’s finally time to fix the pain points for both private companies and government agencies.
Here’s what they cover:
- The (not) shift in risk ownership — why agencies have always owned the risk and the PMO will focus on standards
- The myth of "set-it-and-forget-it" security — and the need for continuous monitoring
- The problem with screenshot audits — and smarter ways to prove assurance
- The role of auditors vs. automation — balancing trust and verification
- Why developers don’t love security — and how to make it less painful
- The future for faster authorizations, and why you shouldn't wait for the FedRAMP changes to happen to get FedRAMP Authorized.
If you’ve ever yelled at your SSP or cried over a screenshot audit, this one’s for you.
Sign up for the FedRAMP working groups here:https://www.fedramp.gov/20x/working-groups/
Learn more about Paramify here: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn about Mike: https://www.linkedin.com/in/mikecschreiner/
-
Missing episodes?
-
Today, we're pretending it's August 24, 2024, as Kenny and Mike sit down with Pete Waterman to talk about his backstory and what inspired him to apply to become the new FedRAMP Director.
Spoiler alert: we discuss frustration, bureaucracy, and a wild career move. Also these things:
- Pete's Origin Story – Every hero has one.- Government Tech: Why Is It So Hard? – Bureaucracy, risk, and the myth of FISMA jail.- The Future of FedRAMP – Can it get faster? - Motorcycles & Risk Management – How intercontinental motorcycle camping trips bring perspective.- Compliance Theater - "Can I get a screenshot of that?"
This episode is equal parts insightful, hilarious, and maybe a little chaotic—just the way we like it.
Learn more about Pete Waterman: https://www.linkedin.com/in/petewaterman/
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/
-
Today Kenny and Mike are talking to the one and only Jason Ford, CEO & Founder of Steel Patriot Partners—a true FedRAMP guru who's been securing systems since digital transformation was still a baby. Jason shares his battle-tested strategies for navigating security audits, implementing encryption the right way, and avoiding common pitfalls that can delay your compliance efforts for months.
Here's what we're tackling in this episode:
- "If You Can't Draw It, You Can't Secure It" – Why mapping your architecture is step one in cybersecurity.
- FedRAMP High vs. Moderate – Why enterprises (not just government) are demanding higher security standards.
- Encryption 101 – What's really required, and why some ciphers belong in the dumpster.
- Privileged Access Done Right – No more random one-off permissions for Jeff! Use roles, not regrets.
- The Future of Security Compliance – Automation, AI, and why FedRAMP is about to change everything.
If you're serious about building a security-first organization, tackling FedRAMP without losing your mind, or just figuring out how to keep your systems locked down like a fortress, this episode is for you.
Learn more about Paramify here: https://www.paramify.com/
Learn more about Steel Patriot Partners here: https://www.steelpatriotpartners.com/
-
Getting started with risk management is easier than you think- and you don’t need fancy tools to do it.
In this episode, Kenny and Mike break down how a simple Google Sheet can be your secret weapon for designing a great security program. Whether you’re navigating FedRAMP, SOC 2, or ISO 27001, the key is just getting started—no expensive software required.
If you're a startup founder, security pro, or just compliance-curious, this episode is packed with easy, actionable steps to help you kick off your compliance journey—without breaking the bank.
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/
-
Eric, the CISO at Federal Cyber Defense Solutions and former Chief FedRAMP Strategist at IBM and FedRAMP Leader at HP, shares his journey from growing up on a farm to becoming a CISO and FedRAMP expert. We dive into the challenges of FedRAMP compliance, the evolution of cybersecurity, and how today's security teams can strike the balance between technical expertise and meeting compliance demands.
In this episode, we cover:- The real struggles of legacy tech and security controls- How cybersecurity careers have evolved—then vs. now- The shift toward security by design and the future of security operations- Advice for new cybersecurity professionals on breaking into the industry
If you're interested in FedRAMP in 2025, compliance innovation, or cybersecurity career growth, this episode is a must-listen!
Learn more about Eric here: LinkedIn: https://www.linkedin.com/in/eadams2/
Learn more about Paramify: https://www.paramify.com/
Learn more about Kenny: Linkedin: https://www.linkedin.com/in/kenny-g-scott/
-
Whether you’re launching a brand-new security program or fine-tuning your existing one, this episode has everything you need to know.
Kenny and Mike are breaking down the 𝗰𝗼𝗻𝘁𝗿𝗼𝗹 𝗮𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗽𝗵𝗮𝘀𝗲𝘀 – why they matter and how they can transform your security processes.
Here’s what’s on deck in this episode of The Paramify Podcast:- How to plan your security framework so it’s rock-solid from the start.- Common pitfalls in frameworks like FedRAMP (and how to avoid them, no trench runs required).- The importance of boundaries, collaboration, and a digital-first approach.- Real-world lessons (and Star Wars stories) for simplifying security challenges.
𝗟𝗶𝘀𝘁𝗲𝗻 𝗻𝗼𝘄 and learn how planning, assessing, and reporting can level up your risk management game.
-
We’ve heard you. We all want to know just how much it cost The Empire when the first Death Star was blown to oblivion by a young boy from Tatooine? How could the Empire let this happen?
Kenny Scott and Mike Schreiner dive deep into risk management and cybersecurity—all through the lens of Star Wars.
Kenny uses Star Wars analogies to break down key concepts like:• 𝗔𝘀𝘀𝗲𝘁𝘀 (Death Stars)• 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 (Thermal Exhaust Ports)• 𝗧𝗵𝗿𝗲𝗮𝘁𝘀 (X-wings)• 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝘀 (Force fields, turrets, the Dark Side and Darth Vader)• 𝗥𝗶𝘀𝗸 𝗧𝗿𝗲𝗮𝘁𝗺𝗲𝗻𝘁 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗲𝘀: • 𝗠𝗶𝘁𝗶𝗴𝗮𝘁𝗲 all by yourself • 𝗦𝗵𝗮𝗿𝗲 risk like pizza • 𝗧𝗿𝗮𝗻𝘀𝗳𝗲𝗿 it to some do-gooder • 𝗔𝗰𝗰𝗲𝗽𝘁 the risk (aka, just flat out ignore it) • 𝗔𝘃𝗼𝗶𝗱 the risk it cuz you’re just too scared.
Whether you're looking to build a risk management program OR just geek out over Star Wars references, this episode has something for you.
-
Today we’re talking to Tony Bai. He’s got 25 years of experience in cyber defense and operations, Tony Bai serves as the Chief Solutions Officer at RISCPoint. A United States Air Force veteran and lots of leadership experience at leading consulting organizations. Tony specializes in FedRAMP, CMMC and other NIST frameworks and is a leading voice on their latest developments that seem to be pretty intense these days. This is a great episode!
Learn more about Tony Bai:https://www.linkedin.com/in/williamtbai/ Learn more about RISCPoint:RISCPoint is an industry-leading management consulting firm, specializing in cybersecurity, compliance, and risk management, providing both strategy and tactical implementation. Our founding vision is a seamless integration with your team, focusing on creating impactful solutions to help you achieve your objectives.https://www.riscpoint.com/ https://www.riscpoint.com/services/public-sectorhttps://www.riscpoint.com/contact Learn more about Kenny Scott:https://www.linkedin.com/in/kenny-g-scott/ Learn more about Paramify:https://www.paramify.com/ -
We're talking with Mandy Andress, Chief Information Security Officer (CISO) at Elastic. Mandy is making a huge impact in the security industry as the author of Surviving Security: How to Integrate People, Process, and Technology, a Top 100 CISO (C100) Award recipient, and a LinkedIn Top Voice. Her leadership goes well beyond her role as CISO – she's also a trusted advisor to many organizations, a frequent speaker at global conferences like BlackHat and Networld + Interop, and a driving force behind Elastic's IPO success.
Learn more about Mandy Andress:Mandy's Linkedin: https://www.linkedin.com/in/mandyandress/
Learn more about Elastic:Elastic's Website: https://www.elastic.co/
Learn more about Kenny Scott:Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Paramify:Paramify's website: https://www.paramify.com/
-
Today, we’re honored to have Michael Carter on the show! Michael is the Managing Partner and Co-founder of Fortreum. Michael brings over two decades of expertise in cybersecurity and compliance, specializing in FedRAMP, FISMA, PCI, and more. He has held key leadership roles at Coalfire and Veris Group, shaping compliance strategies for top organizations across both government and commercial sectors. Michael’s deep insights into security and risk management make him a leading voice in the industry.
Learn more about Michael Carter: / carte2ms
Learn more about Fortreum: https://fortreum.com/
Learn more about Kenny Scott: / kenny-g-scott
Learn more about Paramify: https://www.paramify.com/
-
Today, we're honored to have Alexander Stein on the show. Alexander has a host of experience in Cybersecurity. He has worked as an IT Cybersecurity Specialist at the National Institute of Standards and Technology (NIST). With over two years at NIST focusing on Information Technology and Vulnerability Management, Alex has also held key roles at Flexion Inc. as a Security Practice Lead and Application Security Engineer,
and at BAM Technologies Learn more about Alexander Stein here: LinkedIn: / alexanderjstein
GitHub: github.com/aj-stein.
Learn more about NIST: https://www.nist.gov/
Learn more about Kenny Scott: LinkedIn: / kenny-g-scott Learn more about Paramify: Website: https://www.paramify.com/ LinkedIn: / dashboard
-
Today, we're honored to have Michael Clauser, on the show. Mike is the Founder & Managing Director of Ark where he helps tech and defense companies navigate government relations. He is a seasoned professional in government affairs, cybersecurity, and national security. Michael has led pivotal roles at Okta, Access Partnership, Analog Devices, and Fujitsu Limited, and served as a national security aide in the Pentagon. With a decade as an Intelligence Officer in the U.S. Navy, he has also held leadership roles supporting veterans and contributing to public policy.
Learn more about Michael Clauser: LinkedIn: https://www.linkedin.com/in/michaelaclauser/
Learn more about Ark: https://ark.ga/
Learn more about Kenny Scott: LinkedIn: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Paramify: Website: https://www.paramify.com/
LinkedIn: https://www.linkedin.com/company/80788473/admin/dashboard/
-
Today we're honored to have Matt Hillary on the podcast. Matt is the Vice President of Security and Chief Information Security Officer at Drata. He is a seasoned cybersecurity leader with 15 years of experience and a passion for enabling innovation.
Learn more about Matt Hillary:LinkedIn: https://www.linkedin.com/in/matthewhillary/Matt Hillary's Forbes Article: https://www.forbes.com/sites/forbestechcouncil/2024/06/20/privacy-by-design-and-its-impact-on-security-and-grc/
Learn More about Drata:Drata's Website: https://drata.com/Drata's LinkedIn: https://www.linkedin.com/company/drata/posts/?feedView=all
Learn more about Paramify: Paramify's Website: https://www.paramify.com/Paramify's LinkedIn: https://www.linkedin.com/company/80788473/admin/dashboard/
Matt Hillary brings over 15 years of experience in executive security leadership, risk management, and compliance. His impressive track record includes roles at Lumio, Weave HQ, Workfront, and Instructure. Matt holds a Master’s in Information Systems Management from Brigham Young University and is a CISA-certified professional. Known for his strong technical background, positive leadership style, and effective communication, Matt is dedicated to building tailored security solutions that drive measurable success.
-
Today we're honored to have Eric Evans on the show! Eric is the Founder and CTO of HanaByte, he is a cloud security and compliance expert. He has led security initiatives for startups to Fortune 10 companies and is a renowned public speaker on cloud security and compliance automation.
Learn more about Hanabyte:
https://www.hanabyte.com/ https://www.linkedin.com/company/hanabyte/posts/?feedView=all
Hanabyte's write-up on the OMB Memo:
https://www.hanabyte.com/a-look-at-the-modernizing-fedramp-memo/
Eric Evans's LinkedIn: https://www.linkedin.com/in/ericgonzalesevans/
Kenny Scott's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/
Learn more about Paramify: https://www.paramify.com/
-
Today, we're honored to be joined by Den Jones, Founder and CEO of 909Cyber and a veteran in cybersecurity. With a robust career that includes roles as Chief Security Officer at SonicWall, CSO at Banyan Security and Senior Director of Enterprise Security at Cisco, Den brings a wealth of experience to the table. He's a Stanford alumnus with a focus on Cyber Security and Executive Strategy, holds a Higher National Certificate in Computing from West Lothian College, and is a certified CISSP. Den also hosts 'Get IT Started. Get IT Done.', a podcast that discusses the cybersecurity industry. He’s here to share his expertise on the evolving cybersecurity landscape, tackling complex security challenges, and his approach to leadership in this crucial sector.
Learn more about Den Jones: https://www.linkedin.com/in/denwjones/
Get IT Started. Get IT Done. Podcast: https://podcasters.spotify.com/pod/show/banyan-security
Learn more about Paramify here: https://www.paramify.com/
Learn more about Kenny Scott: https://www.linkedin.com/in/kenny-g-scott/
-
Today, we’re honored to have Rob Sherwood on the podcast. Rob is a seasoned cybersecurity professional with extensive experience in policy management, PKI architecture, and identity management. With over two decades in the field, Rob has left a lasting impact through his dedication to standards development, including his significant contributions to the Open Security Controls Assessment Language (OSCAL). From his role as a Principal Consultant at Credentive Security to his pivotal involvement in projects like the oscal-pki-policy-converter tool, Rob's passion for advancing cybersecurity practices is evident. As an advocate for collaboration and knowledge-sharing, his insights into OSCAL offer invaluable perspectives for professionals and organizations navigating the complexities of cybersecurity policy management.
Learn more about Rob: https://www.linkedin.com/in/rob-sherwood-credentive/
Credentive Security: https://www.credentive.com/
Paramify: https://www.paramify.com/
-
Today we had the honor to talk with Matthew Graham, the Director of US Federal Practice at Prescient Security. Matthew is a seasoned cybersecurity expert whose extensive career has spanned technical and strategic leadership roles. With a rich background that includes high-level certifications such as CISSP, CASP+, and CCNA, Matthew brings a wealth of knowledge on FedRAMP & cybersecurity practices and trends.
In this episode, we talk about everything from FedRAMP Rev 5 to Hurricane Katrina and police interrogations.
Learn more about Matthew Graham: https://www.linkedin.com/in/msgcyberassessments/
Learn more about Prescient Security: prescientsecurity.com
Learn more about Paramify: https://www.paramify.com/
-
Today we had honor to talk with Brandt Keller, a distinguished software engineer and open source developer advocate with a comprehensive background that spans significant achievements in both the military and technology sectors. A veteran of the U.S. Marine Corps, Brandt has transitioned his disciplined and strategic approach from the field of communications within the military to the forefront of software engineering and cybersecurity. His recent endeavors have led him to explore the intricacies of Governance, Risk Management, and Compliance (GRC), focusing on the adoption of the Open Security Controls Assessment Language (OSCAL) by NIST to promote data freedom and enhance the automation of compliance processes. Brandt's commitment to leveraging his expertise for the advancement of technology and compliance standards showcases his dedication to innovation and continuous improvement. We're truly excited to have Brandt on the show to delve into his rich experience, explore his contributions to the field of technology, and discuss his visionary work in making compliance data more accessible and actionable.
Brandt Keller's open source project: https://github.com/defenseunicorns/lula
Brant Keller's LinkedIn: https://www.linkedin.com/in/brandtkeller/
Paramify: https://www.paramify.com/
-
Today we're honored to host Tommy Hoschouer, who currently leads the global public sector efforts at DeleteMe. Tommy's rich history at companies like Sprinklr, Medallia, SAP, and Qualtrics has equipped him with a unique perspective on using technology to enhance public sector operations, leading to significant improvements in revenue and efficiency. Now at DeleteMe, he is dedicated to defending personal and professional information from increasingly sophisticated digital threats, such as identity theft and cyber attacks. His focus on strengthening data privacy and security is crucial in our digital era. We look forward to unpacking his valuable insights on how to protect digital identities and adapt to the evolving technological landscape in the public sector.
In today's episode Kenny, Keaton, and Tommy talk about everything from data privacy, the importance of protecting your data, to our favorite ice cream shakes.
Learn more about Tommy: https://www.linkedin.com/in/tommy-h-18484087/
Learn more about DeleteMe: https://joindeleteme.com/
Learn more about Paramify: https://www.paramify.com/
- Show more
