Find partners
The Paramify Podcast

The Paramify Podcast

Hosted by Paramify

BusinessEntrepreneurshipInterviews guests

Episodes

60

Latest episode

Jun 2026

Language

EN

About the show

The Paramify Podcast is a practical, occasionally chaotic show about GRC, risk management, and staying audit-ready without losing your mind. It’s part talking security strategy, and part group therapy. We talk with cybersecurity and GRC leaders, including CISOs, auditors, founders, and security engineers, about FedRAMP and FedRAMP 20x, SOC 2, CMMC, NIST RMF, the shift toward continuous evidence, and everything in between. Learn about what we do at P aramify here: www.paramify.com

Listen to episodes

60 recent
June 29, 2026Episode 6038 min

Printer Security, FedRAMP High, and the Road to IL6 with Justin Scott

Justin Scott didn't set out to build a security program. But after Vasion's customers started asking hard questions about cloud security, he ended up leading the company through ISO 27001, SOC 2, FedRAMP Moderate, and all the way to FedRAMP High, with IL6 on the horizon. He breaks down what actually worked, what didn't, and why automation is non-negotiable. Learn more about Vasion at https://vasion.com Learn more about Justin Scott: https://www.linkedin.com/in/jusscott/ Learn more about Paramify at https://www.paramify.com Learn more about Kenny Scott: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike Schreiner: https://www.linkedin.com/in/mikecschreiner/ Chapters: 0:00 Intro 1:06 Meet Justin Scott and Vasion 2:24 How Justin Got Into Security 4:29 Going from On-Prem to SaaS 7:24 Owning the Full Security Program at Vasion 10:26 Starting with ISO 27001 Before FedRAMP 13:00 The Challenge of Finding a Sponsor 16:20 Choosing Stack Armor as a Partner 19:06 Why a Technical Program Manager is Non-Negotiable 19:44 Printer Security and Why It's a Blind Spot 23:00 How Vasion's Capabilities Map to Compliance Frameworks 25:00 AI, ISO 42001, and What Vasion Is Building 27:36 The Role of Simplicity in Building a Security Program 29:31 Why Automation Is the Only Way to Keep Up 31:39 FedRAMP 20X: Takes and Tradeoffs 36:51 FedRAMP High as a Growth Lever 38:27 Justin's Advice for Anyone Starting a FedRAMP Journey 39:52 Outro

June 26, 2026Episode 5947 min

The VDR Mandate Is Here: FedRAMP NTC-0014 and CISA BOD 26-04 Explained

Monthly vulnerability scans and POA&M spreadsheets aren't going to cut it anymore. Kenny and Isaac break down FedRAMP NTC-0014 and CISA BOD 26-04, the two mandates reshaping how cloud service providers approach vulnerability management, and what CSPs need to do before the December 7, 2026 deadline hits. They cover why AI has fundamentally changed the threat landscape, how tools like Wiz are helping teams understand attack paths instead of just CVE lists, and what the FedRAMP VDR/VER standard actually requires in practice. Plus, why showing red in your trust center might be the best thing you can do for agency confidence. If you're a CSP still running manual scans and hoping for the best, this one's for you. Resources mentioned: - FedRAMP NTC-0014 (VDR/VER Mandate): https://www.fedramp.gov/notices/0014/ - FedRAMP VDR Technical Docs: https://www.fedramp.gov/docs/20x/vulnerability-detection-and-response/ - CISA BOD 26-04 Implementation Guidance: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk - CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - CISA SSVC Decision Tree Methodology: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc - FedRAMP NTC-0013 (Rev 5 Sunset): https://www.fedramp.gov/notices/0013/ - FedRAMP Marketplace: https://marketplace.fedramp.gov/ Learn more about Paramify: https://www.paramify.com/ Chapters: 0:00 - Transparency in Trust Centers: Why Agencies Want to See Red 0:13 - Episode Intro & FedRAMP NTC-0014 Explained 3:24 - CISA BOD 26-04 and the December 7, 2026 Deadline 5:46 - Why the Old FedRAMP Approach Is Broken 9:01 - How AI Changed the Vulnerability Landscape 11:35 - DARPA's AI Cyber Challenge at DEF CON 13:12 - Risk-Based Vulnerability Prioritization: The FedRAMP VDR Response 15:15 - Smart Architecture as a Security Foundation 20:14 - The FedRAMP VDR Standard: Scanning Requirements 21:27 - SSVC Decision Tree: Triage Methodology 22:14 - What "Internet Reachable" Actually Means 24:07 - Likely Exploitable: The CISA KEV List 26:58 - Agency Impact and the Pain Scale 28:25 - Pain Level Timelines by FedRAMP Class 31:00 - Ditching the POA&M Spreadsheet Mindset 32:10 - What to Stop Doing in the Old Model 34:17 - Boundary Diagrams vs. Terraform Truth 36:24 - Why Transparency Wins with Agency Customers 41:08 - Trust Centers Done Right: The OpenAI Status Page Example 43:06 - What Large Orgs Getting Ahead Are Doing 45:06 - Incident Response and Vulnerability Management: Blurring Lines 46:55 - Outro

May 26, 2026Episode 5842 min

FedRAMP 20x, CMMC, and the Future of GRC with Matt Bruggeman

"For years defense contractors kept hearing CMMC's coming. And then it kept not coming. So they grew this boy who cried wolf mentality where once it finally really was coming, they were like, I've heard that before." - Matt Bruggeman Kenny and Mike sit down with Matt Bruggeman, Director of Federal GTM at A-LIGN. Matt has done it all, he's a trained electrical engineer, improv comedian, and independent filmmaker. Matt's birthday was yesterday so this episode is basically his gift. Happy birthday Matt 🎂  In this episode, they talk about where CMMC actually stands today, why the November 10th Phase 2 deadline changes everything, and what FedRAMP® 20x could mean for the future of CMMC. Chapters: 00:00 The State of CMMC in 2026 01:00 Intro and Meet Matt Bruggeman 02:52 Matt's Unconventional Path to GRC 06:11 About A-LIGN and the Ascend Platform 08:14 CMMC Today: What's Working and What Needs to Change 09:19 Phase 1 vs Phase 2 and the November 10th Deadline 11:01 NIST 171 Rev 2 vs Rev 3: What's the Plan? 15:46 FedRAMP 20X: Hype vs Reality 19:01 Why FedRAMP Was Broken from the Start 23:28 How to Think About Rev 5 vs 20X for Your Business 27:52 FedRAMP Equivalency Explained 31:36 The Technical Reality of a CMMC Assessment 35:27 Compliance Doesn't Have to Be Boring 37:30 How to Get Into the GRC Space 40:19 Where to Find Matt and A-LIGN Connect with our guest: Matt Bruggeman: https://www.linkedin.com/in/matt-bruggeman/ A-LIGN: https://www.a-lign.com A-LIGN on LinkedIn: https://www.linkedin.com/company/a-lign/ Paramify: Website: https://www.paramify.com LinkedIn: https://www.linkedin.com/company/80788473/ Hosts: Kenny Scott: https://www.linkedin.com/in/kenny-g-scott/ Mike Schreiner: https://www.linkedin.com/in/mikecschreiner/

May 18, 2026Episode 5755 min

AI, FedRAMP and the "Dark Matter" of Data with Bhanu Jagasia and Vincent Tham

Is legacy compliance actually dead?  In this episode of the Paramify Podcast, we sit down with Bhanu Jagasia and Vincent Tham from BladeStack to talk about the massive shift happening in the GRC world. From the "dark matter of data" to the transition toward FedRAMP 20X, we’re moving away from 1,500-page "black box" documents and toward real-time, automated evidence. We also dive deep into the AI hype: Will knowledge workers be automated by 2027? Why does "vibe coding" fail in high-stakes compliance? And how can lean teams punch above their weight class using deterministic automation? Connect with BladeStack: LinkedIn: bladestack.io Bhanu Jagasia: linkedin.com/in/bhanujagasia Vincent Tham: linkedin.com/in/vincenttham Website: bladestack.io Connect with Paramify: LinkedIn: linkedin.com/company/paramify Kenny Scott: linkedin.com/in/kenny-g-scott Mike Schreiner: linkedin.com/in/mikecschreiner Website: paramify.com 0:00 Intro & Evidence Automation 1:27 Welcome to the Paramify Podcast 3:00 How Bladestack Got Started 6:29 Evidence Automation & the "Dark Matter" of Data 12:31 Why Expertise Still Matters in FedRAMP 14:37 Bladestack's Tech-First Approach to Compliance 18:40 AI Hype vs Reality in FedRAMP 22:52 Understanding What LLMs Actually Are 26:34 The Problem with Legacy SSPs 28:06 Why FedRAMP 20X Changes Everything 36:40 The Legacy FedRAMP Process Was Broken 40:32 How Bladestack Leverages AI Internally 43:19 Branding in an AI-Commoditized World 46:31 AI's Impact on the Threat Landscape 49:53 The Future of Compliance 54:00 Where to Find Bladestack

May 12, 2026Episode 561 hr 6 min

GRC Engineering, FedRAMP 20x, and AI with Ethan Troy

"Anytime someone says something is dead, that's exactly what I have to go learn." - Ethan Troy Kenny and Isaac sit down with Ethan Troy, Senior GRC Engineer at TRM Labs, Head of AI Research at GRC Engineering Club, and Hacker at hackIDLE. One of the GOATs of GRC engineering. He's been shipping GRC tools, automations, and agents nonstop. He's assessed FedRAMP packages from the 3PAO side at Coalfire and A-LIGN. He's pentested for the Department of the Treasury. He built a FedRAMP 20x assessment app before most people knew what 20x was. His job interview at TRM Labs? They made him build an AI agent. And yes, this is the first Paramify Podcast Isaac is on. We got into: → Why now is the best time to learn something new  → Why 85% of a good GRC agent is deterministic code, not AI  → How to actually build agents (dog food your own stuff, stop one-shotting)  → Why the SSP is becoming the SSDR (System Security Decision Record) and what that means for FedRAMP® 20x  → Why domain expertise is what separates good AI output from great AI output FedRAMP is changing rapidly. Want to learn more about these changes check out this webinar here: https://lnkd.in/ge9wQ2Zf Learn more about Ethan Troy: https://www.linkedin.com/in/ethantroy/?skipRedirect=true Learn more about TRM Labs:  https://www.trmlabs.com/ Learn more about Kenny Scott:  https://www.linkedin.com/in/kenny-g-scott/ Learn more about Isaac Teuscher:  https://www.linkedin.com/in/isaacteuscher/ Learn more about Paramify: https://www.paramify.com/ Chapters: 00:58 - Introductions & GRC Engineering 02:12 - From Nursing to Cybersecurity 05:18 - The Problem with Legacy GRC Tools 12:13 - FedRAMP 2.0: The End of SSPs? 16:48 - The FedRAMP Marketplace Metaphor 24:38 - Outcome-Based vs. Hourly Consulting 31:51 - Automating Evidence Collection 37:16 - AI & Real-Time Incident Response 45:10 - Secure Configuration Guides 52:43 - Building an AI-First Culture 58:51 - Principles for AI Agents in GRC 01:05:03 - The 85/15 Rule for AI Logic

March 2, 2026Episode 5555 min

Justin Merhoff on FedRAMP 20x, Secure AI, Trust Centers, and Modern Cybersecurity

In this episode of The Paramify Podcast, Kenny sits down with Justin Merhoff to talk about what makes security actually work: usability, speed, adaptability, and real-world adoption. Justin shares lessons from nearly three decades in cybersecurity, from his time in the U.S. Army to leading security and compliance programs in the private sector. The conversation covers FedRAMP 20x, trust centers, secure AI, accessibility in cybersecurity, and why security should support the business instead of slowing it down. They also get into the real burden of FedRAMP and CMMC documentation, why better tooling can reduce burnout for lean security teams, and why “usable security” is often the difference between a control that works in practice and one that only looks good on paper. Note: At the time this episode was recorded, Justin was with Rhymetec. He is now Director of Compliance at DTEX.ai. Links: Justin Merhoff on LinkedIn: https://www.linkedin.com/in/justinmerhoff Kenny Scott on LinkedIn: https://www.linkedin.com/in/kenny-g-scott DTEX.ai: https://www.dtex.ai/ Paramify: https://www.paramify.com/ In this episode, you’ll hear: - Why usable security is better security - How secure AI can help small teams move faster - Why trust centers are becoming more important - How accessibility gaps can create real security risk - Why servant leadership matters in cybersecurity - Why FedRAMP 20x is shifting the focus back to risk Chapters: 0:00 Secure AI, lean teams, and why the right tools matter 1:12 Intro to Justin Merhoff 2:08 How Justin got started in cybersecurity 8:31 Army stories, leadership, and early security lessons 16:06 Moving from the military into corporate security 19:17 Why security should enable the business 20:45 The future of trust centers 25:20 Secure AI, small teams, and reducing compliance burnout 29:32 Why FedRAMP 20x is a needed change 36:31 Cyber leadership, adaptability, and how people break into security 44:13 Why accessibility is a cybersecurity issue 51:18 What Justin was doing at the time and how Rhymetec helps clients 54:35 Outro This episode is a great listen for anyone working in FedRAMP, CMMC, GRC, compliance, security leadership, or third-party trust.

February 17, 2026Episode 5428 min

An Apropos of Nothing

Today's episode is An Apropos of Nothing. This episode is optional, you can skip it if you want, but it's a pretty honest glimpse into what hanging out with us is actually like.

February 2, 2026Episode 5354 min

Making Risk Make Sense with Rob Black

“There’s a 5% chance of a $5 million loss. Is it exactly right? No. But it’s way better than saying medium, because medium means nothing.” Kenny sits down with Rob Black, Founder and CEO of Fractional CISO, to break down how to translate cyber risk into language executives actually act on: probability, dollars, tradeoffs, and clear acceptance instead of vague labels that disappear into a slide deck. We also get into the “magic genie” myth of GRC tools, what vCISO looked like back in 2017, and the origin story behind Rob’s legendary wig videos. Key takeaways: • How to quantify risk without pretending it’s perfectly precise • Why “high/medium/low” breaks the conversation with leadership • Where humans are still required (even with great tools) Learn more about Rob Black here:  https://www.linkedin.com/in/blackrob/ Learn more about FractionalCISO: https://fractionalciso.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Paramify: https://www.paramify.com/

January 20, 2026Episode 5247 min

From Film to FedRAMP with Justin Rende

Federal compliance is having a moment. FedRAMP, FedRAMP 20x, CMMC, the whole alphabet soup is going mainstream, fast. In this episode of The Paramify Podcast, we sit down with Justin Rende, Founder and CEO of Rhymetec, to talk about what’s actually changing, what’s still painfully hard, and why “compliance automation” only works if you stay obsessed with real risk. Justin also shares his origin story (tech ➝ film festivals ➝ tech), how Rhymetec grew from early penetration tests into full vCISO and compliance programs, and the most New York lead gen strategy ever: biking around the city delivering Google Homes and handwritten notes to prospects. If you’ve ever been promised an “easy button” for SOC 2, ISO, or FedRAMP, this one’s for you. In this episode: Why federal compliance is exploding (and why it’s not slowing down) FedRAMP 20x and the pace of government innovation (yes, really) The risk of “checkbox compliance” in a world of automation How to set expectations with customers when security is never just one toggle Bootstrapping, building recurring revenue, and staying flexible Customer experience as the real differentiator (care scales better than you think) Where to find Justin and Rhymetec: https://rhymetec.com   / justin-rende   Learn more about Paramify:  Paramify website: https://www.paramify.com/ Mike Schreiner (LinkedIn):   / mikecschreiner   Kenny Scott (LinkedIn):   / kenny-g-scott   Chapters 0:00 Federal compliance is exploding (and getting mainstream) 0:30 Welcome to The Paramify Podcast + Justin Rende intro 1:34 Justin’s origin story: tech ➝ film ➝ tech 2:53 Starting Rhymetec with pentesting (and betting on SaaS early) 4:25 Tribeca and Doha: running VIP experiences and meeting “heroes” 5:33 The real lesson from film: make the customer have a good time 7:01 Mess-ups happen, recovery is the job 8:15 “Don’t meet your heroes” (Rudy story) 9:24 Leaving film, chasing stability, spotting outdated consulting 10:43 Bootstrapping vs taking investment and why flexibility wins 13:53 From big pentest checks to recurring revenue and vCISO programs 15:24 Employee experience: quality of life, culture, and remote done right 18:10 SOC 2 and ISO automation: the pros, the cons, and the risk gap 20:25 The “easy button” myth (MFA is never just one button) 21:38 Sales overpromising, complexity, and doing right by the customer 25:36 Biking NYC: Google Homes, handwritten notes, and standing out 27:13 “Magic” in packaging, Alchemy, and why it works 31:28 Why Rhymetec leaned into federal compliance 32:24 SOC 2 race to the bottom vs doing it the right way 39:15 What’s improving in federal compliance (and what still hurts) 40:11 FedRAMP 20x innovation and building in public 42:52 FedRAMP scale, CMMC scale, and why it’s all accelerating 44:29 Legacy environments and why DoD adoption takes longer 46:24 Where to find Rhymetec + closing thoughts

January 5, 2026Episode 511 hr 25 min

GRC Lasagna with Ayoub Fandi

“There’s this misconception in the marketplace that you need to be a coder to do GRC Engineering. You don’t. I don’t want people to be bogged down in scripting. I want them to be systems thinkers focusing on architecture and orchestration.” Kenny and Mike sit down with the GOATed pioneer of GRC Engineering, Ayoub Fandi. In case you’ve been living under a rock, Ayoub is the Security Assurance Automation Team Lead at GitLab and the Founder of GRC Engineer. This episode covers Ayoub’s wild pivot from middle school English teacher to sending 500 cold LinkedIn DMs to break into security. We dive into his first trip to Utah (discovery of "sugarcane fillets" and life-changing butter cake), why APIs are the “landlines” of the past, and how he sparked the movement behind the GRC Engineering Manifesto to give practitioners their own “Phoenix Project” moment for compliance. Key Takeaways: * Systems Over Scripts: GRC Engineering isn't about being a "coder." It’s about systems thinking and moving away from the "crawl space" of manual scripting. * The "Cell Phone" Moment: Why GRC is skipping the "landline" era of APIs and jumping straight to agentic workflows with MCP (Model Context Protocol). * FedRAMP® 20x: How Key Security Indicators (KSIs) move the burden of proof from 4,000-page narratives to 80%+ automated validation. * The 7-Minute Threat: AI-powered adversaries can pop a machine in 7 minutes. If your compliance isn't "threat-driven," it's irrelevant. Learn more about Ayoub: Gitlab: https://about.gitlab.com/  GRC Engineer: https://grcengineer.com/ GRC Engineer Podcast: https://www.youtube.com/channel/UC8cvmIXoEEBs0dryLh2p2cA Ayoub's LinkedIn: https://www.linkedin.com/in/ayoubfandi/ Learn more about Paramify: Website: https://www.paramify.com/ Kenny's LinkedIn: https://www.linkedin.com/in/kenny-g-scott/ Mike's LinkedIn: https://www.linkedin.com/in/mikecschreiner/ Chapters 00:00 Intro — Utah, butter cake, and Ayoub's first time in the U.S. 02:00 How Ayoub got into GRC (500 cold DMs and ISO cramming) 09:00 Struggling to commit to GRC — until Adobe's program changed everything 13:00 What GRC Engineering actually means 15:00 Why evidence collection is plumbing, not strategy 20:00 Why AI won’t kill GRC — it’ll force it to grow up 25:00 Architecting assurance: the new role of GRC 30:00 Why APIs are losing ground to agentic protocols like MCP 35:00 Landlines vs. Cell Phones: How automation skipped a generation 38:00 Platformization, assurance, and the SaaS vendor dilemma 43:00 Can platforms fix SOC 2 quality? 48:00 Sticker fatigue and the case for continuous assurance 52:00 Why threat-driven compliance is the only way forward 56:00 Advice for early-career GRC professionals in an AI-native world

Is this your show?

Claim this listing to keep it up to date, reach guests who want to pitch you, and manage bookings with Guestify.

Claim this listing

More Business podcasts