That time when Isaac got the invite for a technical webinar with Prescient Security And Kenny did not. Kenny says, "That's awesome, Isaac." 🤷🏻‍♂️

Turns out FedRAMP® is pretty fun. We teamed up with Drata last Wednesday night after Coalfire's RAMPCon for mini golf, drinks, and GOATed vibes. We all had a great time! Shout to the many people that made this event one to remember: Forrest McMahon, Talal Ahmed, Bradley Josephs and Tiffany Josephs from Netskope, Andrew Ellis from Fortra, Chad Spears and Gary Daemer from InfusionPoints, LLC, Eric Beasley from Earthling Security, Brad Little, Daniel Massarsky, Jorden Foster, Adam Shnider, Marc Zurcher, Karen Laughton and Mike Spicer from Coalfire, Kylie Hunter from RegScale, Ingrid Woodley and Matthew Earley from 38North Security and Sandeep Kamble from SecureLayer7. Avery Lyford from RAPIDFORT. Sreedhar Gade from Freshworks. Benjamin W., Rachael Jenner, and Anil Markose from Oracle, Terry M. and Todd Kistner from Vbrick. Tara Houlden from Red Hat and so many other great people (we hit the mention limit lol) We'll see you at the next one 😎

It's happening TODAY. We teamed up with Drata to take over Puttery DC right after Coalfire's RAMPCon. Open to everyone in the FedRAMP® community. ⛳ Puttery DC 🗓 Today, Wednesday, June 10 🕓 4:00 - 6:00 PM ET We've still got some spots left. We'll see you there! Register here: luma.com/bgw4ol5t

Hey DC! 👋 If you're gonna be at Coalfire's RAMPCon, come hang with us! We teamed up with our friends at Drata to take over Puttery DC for a post-RAMPCon happy hour. Drinks. Small bites. Mini golf. Anyone and everyone in the FedRAMP® industry is welcome to tee up. 📍 Puttery DC 🗓 Wednesday, June 10 ⏰ 4:00 - 6:00 PM ET 🚶 6 minutes from the Ronald Reagan Building & International Trade Center Register here: luma.com/bgw4ol5t We can't wait to see you there!

Welcome to the team, Meredith Price!! 🚀 🌔

"Manually writting POA&Ms is easy bro, trust me"

We'll be at RAMPCon in DC June 10 - 11! Kenny and Isaac are both on stage. Kenny is on the Panel with Tara Houlden, and Anil Markose: AI-Powered Compliance Automation, From Vision to Production on Wednesday 6/11 from 9:30 to 10:15 AM. Isaac is speaking with Jorden Foster, and Marc Zurcher, from Coalfire on FedRAMP® 20x: What's Changing and How to Prepare on Tuesday 6/10 from 1:45 to 2:30 PM. Mike, Caze, Weston, Tyler, Kelly and Keaton will also be there. If you're at RAMPCon, come find us! And after RAMPCon on Wednesday, we're teaming up with Drata to take over Puttery DC for a happy hour ft. drinks, small bites, and mini golf. The 19th Hole at RAMPCon: 📍 Puttery DC 🗓 Wednesday, June 10 ⏰ 4:00 to 6:00 PM ET Come hang with us. Whether you want to talk FedRAMP, grab a drink, or you just want to putt, this is where you want to be. Register for the happy hour here: luma.com/bgw4ol5t We can't wait to see you there!

Welcome to the team, Kaycee C.!! 🚀 🌔

Welcome to the team, Wiley Welch! 🚀 🌔

Welcome to the team, Kang Jin Kim!! 🚀 🌔

She Threw Coins Into A Plane Engine 😱

"For years defense contractors kept hearing CMMC's coming. And then it kept not coming. So they grew this boy who cried wolf mentality where once it finally really was coming, they were like, I've heard that before." - Matt Bruggeman Kenny and Mike sit down with Matt Bruggeman, Director of Federal GTM at A-LIGN. Matt has done it all, he's a trained electrical engineer, improv comedian, and independent filmmaker. Matt's birthday was yesterday so this episode is basically his gift. Happy birthday Matt 🎂 In this episode, they talk about where CMMC actually stands today, why the November 10th Phase 2 deadline changes everything, and what FedRAMP® 20x could mean for the future of CMMC. Key takeaways: • Why Phase 2 ends the self-attestation era for Level 2 • The Rev 2 to Rev 3 transition and why nobody should rush it • What FedRAMP equivalency actually means (and what the DoD memo says) • How 20x could reshape CMMC down the road • Why CMMC assessments still feel like 2006 • Why compliance is too important to be boring Watch the full episode here: lnkd.in/eGg-bJqu

Kinda what manually writing POA&Ms feels like

One day, nearly every single control in Paramify's compliance dashboard turned red. Almost all of them, all at once. That is either a great story about continuous monitoring or a very bad day. Thankfully, it turned out to be the former. Most compliance platforms make you choose between doing security and documenting security. That is a bad choice to have to make. The right approach handles the documentation for everything, keeps it accurate, keeps it current, and lets your team focus on actually implementing security where it matters. When something changes, you know exactly what changed. When a risk exists, you know exactly who owns it: you, your IT team, or your vendor, your customer … you get it. These are not things we should guess about. No chasing people down. No spreadsheet that was last updated the week before the audit and hasn't been touched since. Paramify founder Kenny Scott walks through how our stack-based approach to risk management works in practice; organizing risk by who owns it, monitoring controls in real time, and giving agencies a transparent view they can actually make decisions from. It earned us a FedRAMP® 20x Class C (Moderate) Certification and it will work for literally any other framework going forward: FedRAMP Rev 5, CMMC, SOC 2, PCI-DSS, ISO 27001, AIUC, all with the same approach. More importantly, it meant that when everything turned red, we knew exactly why, exactly whose problem it was, and exactly how to fix it. When you set things up correctly, it is a huge unlock. This is what that looks like.

In compliance, what you don't know you're missing is more dangerous than what you do know. Bhanu Jagasia and Vincent Tham from bladestack.io call it the dark matter of data. Kenny and Mike sit down with Bhanu and Vincent from Bladestack. These guys are legit. They've been doing evidence automation and compliance engineering for years. Bhanu once dismissed FedRAMP at a conference. Then built an entire business on it. We got into: → The "dark matter of data" and why black box evidence collection is a problem → Why legacy FedRAMP® ruined lives and why 20x changes everything → Why 95% AI accuracy compounds into near-zero reliability over long agent chains → Why domain expertise matters more now than ever → FedRAMP 20x isn't just changing FedRAMP. It's coming for SOC 2, ISO 27001, and CMMC. What the full episode here: youtube.com/watch?v=aYLAKcDW…

The one man GRC team 5 minutes into manually maintaining POA&MS

Family Claims Tiny Aliens Attacked Their Home 😱

How I’m looking at bro after he said he prefers SSPs over SSDRs

“Anytime someone says something is dead, that’s exactly what I have to go learn.” - Ethan Troy Kenny and Isaac sit down with Ethan Troy, Senior GRC Engineer at TRM Labs, Head of AI Research at GRC Engineering Club, and Hacker at hackIDLE. One of the GOATs of GRC engineering. He’s been shipping GRC tools, automations, and agents nonstop. He’s assessed FedRAMP packages from the 3PAO side at Coalfire and A-LIGN. He’s pentested for the Department of the Treasury. He built a FedRAMP 20x assessment app before most people knew what 20x was. His job interview at TRM Labs? They made him build an AI agent. And yes, this is the first Paramify Podcast Isaac is on. We got into: → Why now is the best time to learn something new → Why 85% of a good GRC agent is deterministic code, not AI → How to actually build agents (dog food your own stuff, stop one-shotting) → Why the SSP is becoming the SSDR (System Security Decision Record) and what that means for FedRAMP® 20x → Why domain expertise is what separates good AI output from great AI output Watch the full episode here: lnkd.in/e2_2-Quz