Will FedRAMP 20x Repeat SOC 2’s Mistakes?

EXPLORE

Society & Culture

© 2024 PodJoint

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/38/7a/20/387a20fe-2c8a-ecb9-1dd7-a0ee896a0fde/mza_12382312868503381387.jpeg/600x600bb.jpg

GRC Uncensored

Chaos

21 episodes

1 week ago

GRC Uncensored is an experimental podcast designed to elevate real conversations with GRC professionals, auditors, regulators, and those building programs around it. Your hosts are Troy Fine and Elliot Volkman.

Hosted on Acast. See acast.com/privacy for more information.

Show more...

All content for GRC Uncensored is the property of Chaos and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

GRC Uncensored is an experimental podcast designed to elevate real conversations with GRC professionals, auditors, regulators, and those building programs around it. Your hosts are Troy Fine and Elliot Volkman.

Hosted on Acast. See acast.com/privacy for more information.

Show more...

https://assets.pippa.io/shows/6702dcb9c88f09c3e0b9a10a/1741868280073-98dc972f-f9c8-433b-ab33-a977b7f15a82.jpeg

Will FedRAMP 20x Repeat SOC 2’s Mistakes?

GRC Uncensored

58 minutes 27 seconds

3 months ago

Will FedRAMP 20x Repeat SOC 2’s Mistakes?

This week on GRC Uncensored, the crew welcomes John Santore, a longtime FedRAMP and SOC 2 practitioner who has seen firsthand how compliance frameworks evolve, and sometimes unravel. Now serving as Director of Cyber Acceleration at Constellation GovCloud, John joins Troy and Elliot to unpack FedRAMP 20x, a new pilot program designed to streamline the U.S. government’s cloud authorization process dramatically.

The promise? Fewer controls, faster approvals, and greater automation.The concern? That all sounds a little too familiar.

Together, they explore whether FedRAMP 20x is an overdue modernization or the start of a dangerous slide toward the kind of checkbox compliance that has made SOC 2 certifications easier to get but harder to trust. From control mapping and auditor disruption to agency adoption and AI-assisted audits, this episode provides a deep dive into what happens when good frameworks move too quickly and how to maintain trust when they do.

[00:01:00] – Guest intro: John’s history with SOC 2, FedRAMP, and working with Troy

[00:06:00] – How SOC 2 influenced John’s transition into federal compliance

[00:08:00] – What is FedRAMP 20x, and why is it happening now?

[00:10:00] – From 12-month review cycles to fast-tracking assessments

[00:14:00] – Key Security Indicators (KSIs): replacing hundreds of controls with a handful of validations

[00:18:00] – Are KSIs basically just vague control summaries? (Spoiler: yes)

[00:22:00] – Why GRC platforms are being prioritized in the pilot

[00:25:00] – Potential expansion to FedRAMP Moderate and High

[00:28:00] – Will agencies even accept this?

[00:31:00] – Advice for cloud service providers evaluating FedRAMP now

[00:34:00] – Is FedRAMP on the path to commoditization?

[00:39:00] – Evaluating rigor vs. relevance: security posture ≠ certification

[00:44:00] – The problem of vague frameworks and audit inconsistency

[00:48:00] – Comparing SOC 2, FedRAMP, and the race to the bottom

[00:54:00] – Closing thoughts on AI, automation, and the future of white-collar work

Guest: John Santore, Director of Cyber Acceleration, Constellation GovCloud

Hosts: Troy Fine & Elliot Volkman

Runtime: ~58 minutes

Hosted on Acast. See acast.com/privacy for more information.