The End of FedRAMP as We Know It? Mike Craig on 20x, DoD, and What’s Next

2025-09-22

FedRAMP as we know it is changing. In this episode, Mike and Kenny sit down with Mike “Waffle” Craig, founder and CEO of Vanaheim Security and longtime cloud and cybersecurity leader, to unpack what FedRAMP 20x means for agencies and vendors across FedCiv and DoD. We get into compliance philosophy, how to define your boundary the right way, why sponsorship strategies matter, and where scalability will make or break 20x. Mike Craig shares hard-won lessons from incident response, multi-cloud ATOs, and advising startups so the...

Mike Craig shares hard-won lessons from incident response, multi-cloud ATOs, and advising startups so they don’t burn six or seven figures chasing the wrong path.

What we cover:

• Why FedRAMP 20x signals the future of federal compliance

• Sponsorship realities, Ready pitfalls, and how small vendors survive

• Boundary, data flows, and “if you can’t draw it, you can’t secure it”

• Zero trust in practice and multi-zone risk profiles across stacks

• AI and LLM/RAG inside a FedRAMP world and change approval at scale

• JAB is gone, human variance is not, and how to navigate the psychology of yes

• CSFC as a model for defined stacks and what that could mean for AI patterns

• Practical diagramming tips and the surprising power of PowerPoint

• The “Waffle” origin story and a DoD “Beta Blocks” style experiment

Guest:
Learn more about Mike Craig: https://www.linkedin.com/in/michaelcraig26/
Learn more about Vanaheim Security: www.vanaheimsecurity.com

Learn more about Paramify:
https://www.paramify.com/?utm_source=MikeCraig&utm_medium=Podcast&utm_campaign=Mikecraig&utm_id=Podcast&utm_term=podcast&utm_content=Mikecraig

Exploring FedRAMP 20x, GovRAMP, FISMA, or CMMC and want a faster path to audit-ready deliverables and ConMon at scale? Talk to Paramify. We help teams get compliant and stay compliant 90% faster at a quarter of the cost.

Timestamps / Chapters
0:00 — “FedRAMP as we know it” and the 20x future
1:42 — Welcome back to The Paramify Podcast (Mike & Kenny)
3:01 — Meet Mike “Waffle” Craig (Vanaheim Security)
4:04 — Hero’s journey: Air Force → cyber → IR → compliance
5:04 — “Cyber warfare” era and being the translator across teams
6:02 — Global regs, midnight IR, and burnout
7:04 — From IR to compliance architecture & multi-cloud ATOs
8:05 — Protecting small vendors from six–seven figure mistakes
9:11 — When compliance runway kills a program (DoD case)
11:03 — Waffle’s 0% abandonment rate and why it matters
11:14 — DoD “defense combine” experiment (Beta Blocks vibe)
13:41 — Operators, COs, entrepreneurs: fixing feedback loops
16:26 — Federal sponsorship 101 (pre-20x) and targeting wisely
18:16 — Two bad options for first-timers: sponsor vs. Ready gamble
21:02 — FedRAMP Ready pitfalls and the 12-month clock
22:08 — Cost realities (150k+ assessments) for small teams
22:44 — Why 20x changes the game (starting low, scaling up)
27:04 — Compliance philosophy: scope, boundaries, and frameworks
30:00 — “If you can’t draw it, you can’t secure it” (data flows)
31:04 — Hot take: PowerPoint is the best diagramming tool
33:39 — Prototype confession: Excel/Sheets and millennial ops
37:39 — 20x at scale: staffing, humans-in-the-loop, and risk
39:07 — Post-JAB reality: more variance, harder prediction
40:05 — LLM/RAG in FedRAMP: data sources & significant change
42:05 — Boundaries got harder—how to think about them
43:08 — Paramify’s CIA risk profile approach across stacks
47:01 — Corporate, dev, infosec, tech-ops: multi-zone modeling
49:05 — Knowing your data (AI makes the gap bigger, faster)
50:06 — Control weighting & psychology of “yes”
50:47 — NSA CSFC as a model for defined stacks
52:02 — Could FedRAMP define AI patterns? (playbook potential)
54:46 — Where to find Mike / Vanaheim Security
55:31 — Name jokes and close