From Checklists to Code: Engineering the Future of FedRAMP w/ Pete Waterman скачать в хорошем качестве

From Checklists to Code: Engineering the Future of FedRAMP w/ Pete Waterman

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc. To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe Wrong ink colours. $300,000 authorizations. Congressional investigations within the first month. How do you fix federal compliance from the inside? In this episode, Pete Waterman, Director of FedRAMP, shares how he's applying 20+ years of engineering experience to rebuild federal authorization from first principles. What started with "violent hatred" of the programme has become one of the most significant transformations in government compliance. Pete's approach is radically different: treat policy like code, make the secure thing the easy thing, and let engineers lead whilst compliance follows. The results speak for themselves. Key Topics Discussed: The Problem State How FedRAMP became a programme where perfection was fetishised beyond security, packages were rejected for cosmetic issues, and $300k costs prevented small teams from using modern tools FedRAMP 20X Architecture The dual-path strategy: improving Rev5 whilst building something entirely new with Key Security Indicators, machine-readable evidence, and persistent validation Risk-Based Authorization Why "my job is to make the government take more risks" - moving from bar-based to spectrum-based assessment where agencies choose based on their risk tolerance Engineering-First Requirements How KSIs like "prevent unauthorized access" replace "do these 18 specific things" and why cloud-native thinking changes everything Radical Transparency Doctrine Why posting roadmap updates every two weeks on GitHub creates trust and how "pre-decisional" anxiety is outdated thinking Chapters: 00:00 - Introduction 01:21 - Pete's background: 20 years in engineering to FedRAMP Director 04:19 - "Reading laws like source code" - discovering policy misinterpretations 07:07 - First month chaos: Congressional investigations and "violent hatred" 08:46 - Government structure: 2M people, 500+ agencies, not a monolith 12:44 - Why FedRAMP became unwieldy trying to satisfy everyone 14:11 - Perfection fetishised: rejected for wrong ink colours 16:06 - Vision: 2-5 people managing 400 cloud services 18:46 - Why government gets crappy custom versions of software 21:09 - Security should improve engineering, not just check boxes 24:26 - Cloud-native approach: outcomes not prescriptive controls 26:54 - Future vision: click "encrypt everything" and you're done 29:43 - Machine-readable evidence: let engineers build what benefits them 31:48 - "Just grep out what I care about" - letting standards emerge 33:34 - Flipping the model: engineers lead, compliance follows 35:50 - The abstraction problem: policy writers who never built things 39:41 - Economics: $300k → $5k authorization pathway 43:31 - Threat modelling example: outcomes over prescribed frequency 45:48 - No bar to clear, just show your posture 52:26 - Radical transparency: GitHub roadmaps every 2 weeks 55:40 - AI in GRC: value-add vs adversarial compliance game 1:00:30 - "If it was automatable, someone would have done it 6 years ago" 1:05:00 - How engineers should prove security program funding 1:08:07 - Non-trivial work proving things we don't care about 1:13:22 - GRC skillset transformation: policy expert to product expert 1:17:30 - Risk philosophy: optimize how you ACCEPT risk 1:22:11 - "Make the secure thing the easy thing" 1:24:50 - Success metric: never hear "can't use it, not FedRAMPed" 1:27:00 - Ecosystem impact: GRC tools finally have use case 1:32:39 - Impact levels: same rules, different intensity 1:36:53 - Government leading the way for private sector 1:39:12 - Parting thoughts: let machines assess tech About the Guest: Pete Waterman is Director of FedRAMP, bringing over 20 years of engineering leadership experience to federal compliance. Previously worked with US Digital Service as a cloud expert, the Technology Modernization Fund coaching agencies on modernization, and ran engineering at an AI company. He took over FedRAMP in August 2023 with a mandate to transform the programme from an engineering-first perspective. Connect with Pete: Pete Waterman:   / petewaterman   About The GRC Engineer: The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking. Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development. 🌐 Visit: grcengineer.com 💼 Connect: linkedin.com/in/ayoubfandi 📧 Newsletter: grcengineer.com/subscribe #GRCEngineering #FedRAMP #Compliance #Automation #CyberSecurity #RiskManagement #DevSecOps #CloudSecurity