FedRAMP 20x Explained: Faster, Cheaper, Better Compliance

Um, how many of you uh are familiar with bed ramp? Have you dealt with it before? Yeah. Okay. Awesome. Yep. And so, um, what I'm going to do is I'm going to, uh, Fed is obviously going through some changes. Um, is kind of at the forefront of that. We are at the forefront of those changes, um, with a with a number of other partners both in government and in the private sector. And so I'm going to explain to you a little bit about what bed ramp was, right? Okay. And so to to set that up, right, we just need to know about how bad things really were really at the very beginning of of Fed

Ramp. Uh it was kind of DOA, right? It was it was just not going to work. And so there's um let me tell you like what it was trying to do. Okay, so these are uh government entities uh graphically demonstrated here and they communicate on networks, right? They do not communicate on public networks. They communicate on things like nippernet. I don't know if any of you in this building have a CAC card, right? Um not required anymore, but you need a CAC, right? to to connect on these things on an internet or if you're going to be connecting to war fighter systems, it might be supernet. You're not supposed to know about it, but government

communicates on these private networks. Okay? And about uh over two decades ago, Amazon comes out with, you know, S3, EC2, all those things, right? And so uh government networks, the governments are like, "Hey, we want to use that. That's actually really cool. It's super efficient. we'd love to use that. They do it better than us. And then you had basically a bossy bureaucrat that gets in the way of that. Says, "No, you can't do that." But then someone came up to him and said, "Well, what if we made the process just as terrible as the one you have to go to?" And so that got them deposit like, "All right, tell me more. Go on. Let's do this." And uh what we'll

do is we'll have one little tiny agency inside of the GSA. So this is the problem, one of the problem statements at the very beginning, but we'll have one little tiny agency inside of the GSA accept risk on behalf of all the government for cloud system, right? And so no one for whatever reason, no one paused. They're like, "All right, sounds good. And we'll call it bed ramp, right?" Okay, so they call it bed ramp. And essentially what it is is the first thing you needed uh was this idea of the agency sponsor, right? So someone was going to say, "Okay, um uh you want to do Fed Ramp? Great. We're GSA. We're a a

small port a little company, not a company, we're an agency inside of GSA or we're HHS or we're uh a small agency inside of the um FDA." Yeah. Something like that. And so they have to love you, right? So we could never like make people fall in love just like any kind of genius, right? Um can't do it. But if someone really likes you inside of the government, they're willing to commit, you know, 500K, 300K, then they'll be like, "Yeah, we have that money. We can just print it, right? We'll do it." Okay. And so the next step was you need to put together your system security plan. So the idea was kind of like

Um this is the analogy that I like the most. Okay, imagine uh it's 2010, you know, it's 2010 and this is our approach to software. We're going to uh create a a perfect system. We're going to we're going to decide how we're going to implement security on this software system. Okay. Um and we're going to be really detailed. It's going to be thousands of pages of documents. Okay. thousands. Okay, we're going to go and we're going to make sure that it's right and we're going to take this little software package and we're going to package it up and then we're going to have a document that explains it and then we're going to ship it off to see

and then we're going to fire all the devs and we're never going to change that system ever again. Okay, essentially is what they were doing. And then like a we got to go like made a change. Actually, we actually just changed it. Like, okay, we'll go get the system, bring it back in, let's undo it, and we'll we'll update the documentation. Um, you're going out of uh you're going out of um uh you're not going to use Duo anymore, you're going to use Octa. Or you're not going to use Octa anymore, you're going to use Dcaler. you're going to use something uh different. Okay? And so uh you have like 59 different places where that's going

to be represented in a Fed package or in a DoD package. Uh made no sense, right? Okay. So the next thing you had to do is like complete an audit. And so I've seen lots of different uh statements of work here uh ranging from the 100ks to the seven figures to multiple. And it's just uh it's just really expensive, right? So, we're just like racking up things. By the way, our way to do this system security plan in the past was we hire a bunch of consultants and we just get through it, you know, we throw a lot of money at it. And so people would like uh kind of, you know, just like burn out. And then after you

um after you submitted your your huge package, then you had an authority, right? Um Did you really remember the problem? Can a little small agency inside of the PSA, can they actually accept a risk on behalf of agents? And here's the problem. So, I went through this multiple times um at Adobe and uh al also with like customers and you know, I've done a lot now. I've done a lot of these things and um it's crazy that even get a FedEmp atto, Feder High, agencies are still not able to look into that package and say, "Oh, yeah, now I'm comfortable. Yeah, okay." Because the law is that agencies have to uh have they have to run their risk management

process. And for some reason, looking at these documents over thousands of pages was actually kind of hard, right? Especially when you know you're you're doomed from the beginning. You do not build a software once and ship it off to sea and never change it. It's dynamic and it's been that way and it's even more so today. Okay, so that was kind of the thing. So even after you got your atto, uh, you had this awful process which was continuous monitoring, you know. So what I dealt with was like on my team, I had like 90% of our budget that went to paper chase legit. That's and that's being uh I think generous and I'm like man that really sucks and so um

and then you're kind of in this purgatory right in the in the old way right so you know what after that like we said you know I've had it you know this this really sucks um I'm sick of this so um in the very beginning I started um I had this idea that we would build out the telemetry of your system and then automate the document you're like you want stupid document. Okay, fine. Here's your stupid document. And um that was kind of working for us. Um especially for that small niche of companies that needed it. Um not perfect, right? Definitely not a panacea, but had a lot of product market fit for that last thing. Um uh we have

run a podcast in Katon where we're we just basically throw rocks at how ridiculous this process is and make fun of it, you know. our branding is really uh irreverent, you know, and um uh we actually got the attention of the government and so we were actually invited to go to the White House. Uh me and Mike Griner were talking to people there and uh he just uh we were talking to the CIO of OMB and he's like, "Hey, we were super excited to get going. Uh here's a problem. Doge just like stopped like our budgets. I have literally $1 on my card." So, we can't do it. Oh my god, damn it. You know, I'm like, that's not

going to work. And then the next thing was a after that it was uh um uh we met Pete who's now the director of Fed Ramp and he said, "Hey, we're going to blow all this up, right? We're going to blow up Fed Ramp." I'm like, "What do you mean?" Okay. And so what he did was 20x. Okay. And these were kind of the goals that Pete had, right? Okay. He wants to automate 80% of the control testing. I'm like, "Wow, that's a lot different than the screenshots that I mean that I was uh seeing in all the Fed packages that you you reviewed. It was just nuts, right? Based on point in time audits,

based on systems that are always changing but pretending they don't, you know, and um uh so Fed 20X came out and uh we had a decision to make. We actually had to like completely blow up our road map. I have uh friends in the audience here that have kind of been have been real help for us in helping to solve this problem. Right? So uh the idea of 20x is that uh you automate the the testing but in a way that hasn't been done before and it's not screenshot based but it's actually deterministic telemetry. Like well this is what we were always trying to do. Um it's really hard to do but that would get you to a

point where you have true continuous monitoring. You don't need the paper chase, right? Um, and so the other thing that Pete said is like, hey, uh, also Fed Ramp's not going to do it. We need people in the industry to come forward. So, um, we had a few, you know, a few members of the resistance, right? Some of them are here today. Um, and this would enable us to have like rapid innovation. Um we're at the very end of the of the Fed Ramp 20X moderate uh pilot. Uh it has been incredibly exciting uh incredibly challenging but we have actually been a part of implementing Feder 20X for ourselves right building a solution then we also

have partners that we're working with. Um it's a journey it's not perfect and and things are changing quite a bit. We're we're moving as fast as we can. Uh but it's this is kind of uh what it is. And um this actually probably needs to get um updated a little bit. Um because this is now 2027, but uh all of Fed Ramp is changing. So if you have an existing existing Fed ramp atto and you're doing the old RIP five process, that's actually going to let me just check time. Okay, good. um the whole documentation like big piles of documents right that's going away right so if you're if you have like a really legacy approach now

is the time to start rethinking that um it's um uh it's not easy actually to do this change especially in enterprise um so it's really important to be paying attention to what's happening in Fed ramp um the early the early feedback and that what we're seeing is we're really encouraged with what we're seeing in 20x. I think for for our package for for Paramify um it's actually phenomenal. We have I think 86% of our of our controls are automated. So 86% of our controls are automated cradle to grave that is fetching evidence that is validating evidence that's tied to the to the to the documents that are delivered. Um it's completely transparent, right? no integrations that block like how we're

um and uh when we make changes it's actually reflected in the whole package right away. So this is a reality for us but what we have to do is figure out a be the better way to help our clients do this and so that's the journey that um I want to talk a little bit about our approach this is not for this is just how I think about risk and so I I I hope that this is helpful for you on how you guys can think about how to build continuous monitoring. So this is nothing to do with bed ramp. Again, my whole goal um I hated bed ramp like so much, right? Because like first it

was like very personal. I lost I lost so much sleep and uh I mean it was actually pretty hard on my marriage at points, right? You know, so I hate the old vet process. Um and I'm super glad that we were effectively killing process. I always tell my team I feel like it's uh um what we're doing is this approach is going to scale. So I always talk about have you guys seen Dune 2? Anybody? It's it's basically the best sci-fi movie ever. I think I think it's the best one even though it deviates from the book. But one of the cool deviations from the book in the movie is when uh when uh Paul Trades goes up to

his grandpa, he goes, "Hello, grandfather." And then he says, "You die like an animal." He kills him. And I'm like, "I feel like that's better. I feel like I feel like we kill it." And uh and I feel like I feel like that's good, right? So the parents dead. And now the next portion is to go after how the department of war that just steal the old way. And so I call them the sardicar. So you know what happens to the sardicar next? We're coming for them, right? And then we're going to go on a 12-year jiu-jit against all the all the socks too ISO PCI we're going to do all this so that's the plan that's

what I'm telling you and this is the approach that unlocks that doesn't have to be us this is what will enable it everything starts in terms of stack ideally when you're when you're talking about your your compliance program what is a stack a stack is any group of people process and technology that take in data to fulfill some sort of you know goal right. So um sometimes a stack or a business could be we take in raw materials. We pull in these raw materials like you know uh we pull in um you know astrophase right to to fly our ship right and we get tala to kill the astrophase you know we have some sort of

mission right we need things right so for cyber companies we need data okay and so for us it's this little parameify cloud we have about like 75 people now that that work with us right and we're taking in data to try and help people automate their ATO process, right, in a way that hasn't been done before. And so there's certain risks that apply to my stack. Okay, these are again these are just, you know, they're just supposed to represent risk risk families, right? So when we look at a risk, what is it? It's like organization. Okay, so the the organization risk um how do you Feder asks about how do you make sure that you

get the right people in here and that you're not, you know, hiring correct, right? I'm like, so okay, yeah, so we have background checks, right? So there's human resources risk and there are risk solutions underneath that. Okay, so what are you using for background checks? I'm like, oh yeah, we're using certain or we're using something else in Ripley. Uh we have an HR platform, right? Okay. Uh for for managing, you know, uh payroll and onboarding. Um we have a threat awareness program. we're using for our resolution for that is uh no before or something else in AI that you know training exercises uh those are actually I think really important so those that's how we look at

it the organization risk there's also general IT risk right these are things that we're all talking about like in this conference today when we're not talking about AI ultimately it comes down to what are your your ways for addressing particular risk right there's There's network risk, there's observability risk, data security, application delivery, um what are the actual solutions that you're, you know, what are your web applications, what are your managed services, what are the enduser responsibilities, right? This is actually something gets that gets overlooked quite a bit. So I always tell uh my team like what do you mean by end user responsibility? Okay. So, if I uh go to Ripley and I give everybody access

to like approved payroll, that's actually not on Ripley. That's on me, right? I need to basically protect how I'm how I'm configuring that. This is actually where most breaches happen, right? Is on the end user. It's super underappreciated. It usually gets this little spot in the socks, right? or it's in this it's in a freaking spreadsheet in the old Fed ramp process you know and this has to change right so there's also like infosc risk okay and so in the last the last time I talked I gave a little talk on uh gave a talk on um risk management um what are some of the what are the five risk treatment the things you can do to treat

risk does anybody anybody want to Sure. I guess. Yeah. So, what's one of them you can do? What? Yeah. Okay. So, accept. You can accept it. You can just sip your drink and say, "I don't care about that risk. We're just going for it." Right? You can mitigate it all by yourself, right? You can share it, right? You can share that with with people, right? So, you can um I'm going to use an octa, right? as my identity thing and so I'm going to share some of the risk with them because I got to go configure it right what else can you you can completely transfer it right so for example for facilities risk does that matter to us

absolutely it does right okay and so this is how we build this is how we look at how a risk solution maps to the actual compliance here okay so physical access provisioning Okay, there's multiple capabilities associated with that. How do we make sure that we get the right people inside of a facility, right? You guys have seen this before. Oh, yeah. Well, we have key cards. We have a system for managing the key cards. Um, that might be tied that physical access provisioning thing might be tied to the HR system. Uh, you have the the the review process. You have uh the deprovisioning when someone's not authorized. You know, there's a lot that goes into these solutions, but they're

usually packed with the ability to handle all of that. And these capabilities right here are mapped to the requirements. And this is what we're looking for within a Fed ramp document, within a sock 2, within a PCI rock, whatever it is. Uh, for 20x, uh, they actually don't even have a requirement here. And so I was wondering why does is it that the risk doesn't matter? It's like no, it's because you're transferring that risk to AWS, right? And so what happens when you use this in brandy, it's like okay, all this is green and so you're going to automatically you don't have to do any validations there. It's like okay, we just we take that in and that's good to

go. Okay, you with me so far? Okay, so this is all green. Yeah. Oh, 8171. Um, that would be CNMC. I'll CMMC you later. Have you heard someone say that? Yeah. Freaking hate it. Huh? Oh, yeah. I guess we could do that. So, yeah. Uh, it would be the Rev 3. These things are probably are mapped to these capabilities as well. Simple as that. Good question. Okay. So, that's nice when we're transferring the risk. Okay. When we're accepting the risk, uh the other thing would be how are you sharing the risk, right? So, you've got a single sign on risk solution that you got to fill in. And so, what you can do is you can say,

okay, I'm going to do this all by myself. I'm going to implement Octa. I'm like, why isn't everything green? And the answer is it's because you're sharing it. And then you're like, man, when I'm talking to people like, man, I really don't know how to configure Octa. I'm like, good news, buddy. Most people have this concept called it, right? And it is actually already stood up octa for you. So, you know what you can do is you can not build your own authentication and you can go ahead and implement that. And so, what we want to do is inherit as much as possible. We want to transfer as much risk as possible. And so what we do

is we offer the ability to inherit um from within a system. Okay. And then now it's just we have companies that have like you know 500 service teams that are using a particular oct or more, right? How do you do that? Well, there's a way to configure that so that you can say hey just point these systems at like set your octa groupoups correctly so that you're automatically consuming Um, and that's how they built that, right? And so what we want to do is build this stack. Here's an actual thing that happened to us the other day. We're again, we're at the very beginning of this journey. I think that it's going to get better and better. Uh, but the day

that we got Fed Ramp 20X moderate authorized, uh, this happened, right? Yeah. Yeah. We got Fed ramp 20X moderate authorized. And this is what happened to us. So I was like, uh, hopefully no one sees that. But everything went red. And I was like, what freaking happened? And so we went into it and I was like, oh, everything's red. Like literally everything's red. And so we're like, okay, there's probably something that's common. And so I went to this RO permission enforcement and we found that this evidence that's coming in, uh, there was evidence that came in, but it came in blank, right? So there was an issue with how we were collecting the evidence. But I got, you know, I got

like I think um something like uh 72 notifications like on my phone and and they it wasn't bugging me, but I'm like, "Oh my gosh, all these things." And so we went and we found the issue and we fixed it and then it's like back to normal, right? And everything's green. So the way that we want to uh to to monitor, you know, all of our systems, right, is agencies want to be able to see you know what is the status of these different organizations and they don't want to see it just from you know a feder doc like just a big stack of documents they want to know okay um what is the service provider's responsibility

what's breaking there what are like within the company is there a general IT risk at this company and then is there is there a customer risk right why are things breaking and So we believe and are seeing success here that this is actually the way to do it. Right? So it's not necessarily technology dependent. I just think this is a good Right. So we uh I really appreciate your time here. I'm I'm two minutes over. I I'm happy to answer a couple questions uh for right if you want to.