From Checklists to Code: Engineering the Future of FedRAMP w/ Pete Waterman

Oct 28, 2025

Ask episode

Chapters

Transcript

Episode notes

Paramify is making FedRAMP (Rev 5 or 20x), GovRAMP & CMMC fun.

Get your $750 Gap Assessment at paramify.com/grc.

To get access to the deep-dive transcript, subscribe to the GRC Engineer newsletter: grcengineer.com/subscribe

Wrong ink colours. $300,000 authorizations. Congressional investigations within the first month. How do you fix federal compliance from the inside?In this episode, Pete Waterman, Director of FedRAMP, shares how he's applying 20+ years of engineering experience to rebuild federal authorization from first principles.

What started with "violent hatred" of the programme has become one of the most significant transformations in government compliance.Pete's approach is radically different: treat policy like code, make the secure thing the easy thing, and let engineers lead whilst compliance follows. The results speak for themselves.

Key Topics Discussed:

The Problem State

How FedRAMP became a programme where perfection was fetishised beyond security, packages were rejected for cosmetic issues, and $300k costs prevented small teams from using modern tools

FedRAMP 20X Architecture

The dual-path strategy: improving Rev5 whilst building something entirely new with Key Security Indicators, machine-readable evidence, and persistent validation

Risk-Based Authorization

Why "my job is to make the government take more risks" - moving from bar-based to spectrum-based assessment where agencies choose based on their risk tolerance

Engineering-First Requirements

How KSIs like "prevent unauthorized access" replace "do these 18 specific things" and why cloud-native thinking changes everything

Radical Transparency Doctrine

Why posting roadmap updates every two weeks on GitHub creates trust and how "pre-decisional" anxiety is outdated thinking

About the Guest:

Pete Waterman is Director of FedRAMP, bringing over 20 years of engineering leadership experience to federal compliance. Previously worked with US Digital Service as a cloud expert, the Technology Modernization Fund coaching agencies on modernization, and ran engineering at an AI company. He took over FedRAMP in August 2023 with a mandate to transform the programme from an engineering-first perspective.

Connect with Pete:

Pete Waterman: https://www.linkedin.com/in/petewaterman/

About The GRC Engineer: The GRC Engineer explores how engineering principles are transforming governance, risk, and compliance. Hosted by Ayoub Fandi, each episode features practitioners, leaders, and innovators who are building the future of GRC through automation, code, and systems thinking.

Subscribe for episodes and entries featuring deep-dives into GRC automation, compliance as code, risk engineering, and the intersection of security, compliance, and software development.

🌐 Visit: grcengineer.com

💼 Connect: linkedin.com/in/ayoubfandi

📧 Newsletter: grcengineer.com/subscribe

#GRCEngineering #FedRAMP #Compliance #Automation #CyberSecurity #RiskManagement #DevSecOps #CloudSecurity