#44 - Karen Laughton on FedRAMP 20X, AI, and the Future of Compliance

In this episode of the Paramify Podcast, Karen Laughton, EVP of Advisory at Coalfire, joins Kenny Scott (CEO of Paramify) and Mike Schreiner to unpack the future of government cybersecurity and compliance modernization. From the hard realities of FedRAMP 20X to lessons learned from the early days of FSMA and CMMC confusion, this conversation pulls no punches. Karen shares how she broke into cybersecurity via HR (and a saltine-fueled CISSP exam), why automation without strategy won’t scale, and what it's going to take to make 20X work at moderate and high baselines. If you're curious where compliance, automation, AI, and public sector modernization are headed—you’ll want to tune in. ⏱️ Timestamps: 00:00 – "Dang, we need to modernize our government" — Karen's IRS nightmare becomes a metaphor for digital transformation. 02:44 – Meet Karen Laughton: Coalfire EVP, community leader, and accidental cyber exec. 03:35 – Saltines, pregnancy, and passing the CISSP: Karen’s origin story in cyber. 08:01 – AC-7 and the mouse jiggler: when coarse-grained controls meet real-world demos. 10:03 – FedRAMP in the early days: the “marathon in flip-flops” era of inconsistent TR feedback. 13:01 – The worst documentation nitpicks Karen’s ever seen (IP addresses and diagram chaos). 14:46 – FedRAMP then vs. now: why decentralization could hurt even as risk-focus improves. 17:28 – What scaling 20X to moderate and high will actually require. 20:03 – Are we solving the right problem with KSIs? Recapping Coalfire's “automation of arrested development” blog. 23:08 – Why automation isn’t a silver bullet (and why it still needs humans). 24:57 – 3PAOs aren't going anywhere — and that’s not just job security talk. 26:15 – Andrej Karpathy, robot soccer, and the early innings of AI assurance. 29:30 – Why agencies aren’t lining up to sponsor FedRAMP 20X. 31:08 – How Coalfire responded to 20X: culture, planning, and Compliance Essentials. 33:41 – Leveraging Paramify to accelerate automation where it makes sense. 36:42 – Politics, acquisitions, and why automation hits limits in complex orgs. 37:27 – DoD, CMMC, and 20X: where things stand and why there’s still confusion. 41:01 – The case for CMMC enclaves (and why most orgs want to isolate the mess). 42:00 – Mentorship, career pivots, and embracing “knowing nothing” as a superpower. 47:58 – Why questions make you smarter — and why cybersecurity people love answering them. 50:00 – Why cybersecurity never gets boring (and feels like a family reunion at every conference). 50:59 – Wrap-up & future part two tease. Learn more about Coalfire: https://coalfire.com/ Learn more about Karen Laughton: https://www.linkedin.com/in/karen-laughton-6484115/ Learn more about Paramify: https://www.paramify.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Mike: https://www.linkedin.com/in/mikecschreiner/