From Checklists to Code: Engineering the Future of FedRAMP w/ Pete Waterman episode artwork

EPISODE · Oct 28, 2025 · 1H 43M

From Checklists to Code: Engineering the Future of FedRAMP w/ Pete Waterman

from GRC Engineer · host Ayoub Fandi

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc.To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribeWrong ink colours. $300,000 authorizations. Congressional investigations within the first month. How do you fix federal compliance from the inside?In this episode, Pete Waterman, Director of FedRAMP, shares how he's applying 20+ years of engineering experience to rebuild federal authorization from first principles. What started with "violent hatred" of the programme has become one of the most significant transformations in government compliance.Pete's approach is radically different: treat policy like code, make the secure thing the easy thing, and let engineers lead whilst compliance follows. The results speak for themselves.Key Topics Discussed:The Problem StateHow FedRAMP became a programme where perfection was fetishised beyond security, packages were rejected for cosmetic issues, and $300k costs prevented small teams from using modern toolsFedRAMP 20X ArchitectureThe dual-path strategy: improving Rev5 whilst building something entirely new with Key Security Indicators, machine-readable evidence, and persistent validationRisk-Based AuthorizationWhy "my job is to make the government take more risks" - moving from bar-based to spectrum-based assessment where agencies choose based on their risk toleranceEngineering-First RequirementsHow KSIs like "prevent unauthorized access" replace "do these 18 specific things" and why cloud-native thinking changes everythingRadical Transparency DoctrineWhy posting roadmap updates every two weeks on GitHub creates trust and how "pre-decisional" anxiety is outdated thinkingAbout the Guest:Pete Waterman is Director of FedRAMP, bringing over 20 years of engineering leadership experience to federal compliance. Previously worked with US Digital Service as a cloud expert, the Technology Modernization Fund coaching agencies on modernization, and ran engineering at an AI company. He took over FedRAMP in August 2023 with a mandate to transform the programme from an engineering-first perspective.Connect with Pete:Pete Waterman: https://www.linkedin.com/in/petewaterman/About The GRC Engineer: The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.🌐 Visit: grcengineer.com 💼 Connect: linkedin.com/in/ayoubfandi 📧 Newsletter: grcengineer.com/subscribe#GRCEngineering #FedRAMP #Compliance #Automation #CyberSecurity #RiskManagement #DevSecOps #CloudSecurity

Episode metadata supplied by the publisher feed · Published Oct 28, 2025

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc.To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribeWrong ink colours. $300,000 authorizations. Congressional investigations within the first month. How do you fix federal compliance from the inside?In this episode, Pete Waterman, Director of FedRAMP, shares how he's applying 20+ years of engineering experience to rebuild federal authorization from first principles. What started with "violent hatred" of the programme has become one of the most significant transformations in government compliance.Pete's approach is radically different: treat policy like code, make the secure thing the easy thing, and let engineers lead whilst compliance follows. The results speak for themselves.Key Topics Discussed:The Problem StateHow FedRAMP became a programme where perfection was fetishised beyond security, packages were rejected for cosmetic issues, and $300k costs prevented small teams from using modern toolsFedRAMP 20X ArchitectureThe dual-path strategy: improving Rev5 whilst building something entirely new with Key Security Indicators, machine-readable evidence, and persistent validationRisk-Based AuthorizationWhy "my job is to make the government take more risks" - moving from bar-based to spectrum-based assessment where agencies choose based on their risk toleranceEngineering-First RequirementsHow KSIs like "prevent unauthorized access" replace "do these 18 specific things" and why cloud-native thinking changes everythingRadical Transparency DoctrineWhy posting roadmap updates every two weeks on GitHub creates trust and how "pre-decisional" anxiety is outdated thinkingAbout the Guest:Pete Waterman is Director of FedRAMP, bringing over 20 years of engineering leadership experience to federal compliance. Previously worked with US Digital Service as a cloud expert, the Technology Modernization Fund coaching agencies on modernization, and ran engineering at an AI company. He took over FedRAMP in August 2023 with a mandate to transform the programme from an engineering-first perspective.Connect with Pete:Pete Waterman: https://www.linkedin.com/in/petewaterman/About The GRC Engineer: The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.🌐 Visit: grcengineer.com 💼 Connect: linkedin.com/in/ayoubfandi 📧 Newsletter: grcengineer.com/subscribe#GRCEngineering #FedRAMP #Compliance #Automation #CyberSecurity #RiskManagement #DevSecOps #CloudSecurity

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

From Checklists to Code: Engineering the Future of FedRAMP w/ Pete Waterman

0:00 1:43:52

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

AI Generated - EDU Video Podcast Magnus Lian Explore how video tools and AI are transforming education with Magnus Sæternes Lian, Senior Engineer at NTNU and founder of ReadyMedia. This podcast dives into the latest video technologies, real-world use cases, and actionable insights for educators and tech enthusiasts. Created using cutting-edge AI tools like GoogleLM and ElevenLabs, all content is verified for accuracy. Discover practical solutions and stay ahead in the evolving landscape of educational technology! The Driven To Draw Podcast: Self Improvement|Painting|Drawing|Visual Problem Solving|Unleashing the Creativity Within! Arvind Ramkrishna/Designer/Artist/Engineer The Driven to Draw Podcast will teach you how to solve problems visually, think outside the box, build your confidence, generate ideas, and innovate.You'll hear from top creative artists, designers, engineers, and photographers who share their techniques to create products, broaden their creative abilities, and share the benefits of thinking visually.No matter your background or area of expertise, Driven to Draw will be your constant motivator to help you become your best…and Unleash the Creative Within! Prompt / AI Podcast from Japan Inyu | prompt engineer JPN I'm a Japanese prompt engineer. On this podcast, I talk about my job, research of AI and prompting. Mohammad Qutub Muslim Central Dr. Mohammad Qutub is an Islamic scholar with several decades of experience as a teacher and orator. He completed his Master’s and PhD degrees in Uṣūl al-Dīn and Comparative Religion at the International Islamic University Malaysia (IIUM), and has several Ijāzahs (licenses) and certificates in Qur’an, Hadith, etc. He has spoken internationally in the Middle East, the U.S., and Southeast Asia and regularly holds intensive seminars and university lectures. His passions and research revolve around: Islamic thought and history, Qur’anic Tafsīr, scientific Iʿjāz (inimitability) in the Qur’an and Sunnah, and comparative religion. He teaches students of all different ages and backgrounds in-person and online. He is also an engineer by profession with a Bachelor of Science in Chemical Engineering from the U.S., and extensive experience in the field of Industrial Gases.

Frequently Asked Questions

How long is this episode of GRC Engineer?

This episode is 1 hour and 43 minutes long.

When was this GRC Engineer episode published?

This episode was published on October 28, 2025.

What is this episode about?

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun. Get your $750 Gap Assessment at paramify.com/grc.To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribeWrong ink colours. $300,000...

Can I download this GRC Engineer episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!