In this episode, I sit down with Mitchel Herckis, Global Head of Government Affairs at cloud security leader Wiz.

We will be discussing all things public sector and cybersecurity, including the evolution of the FedRAMP program, modernizing vulnerability management, and the future of Continuous ATO (cATO).

We covered a lot of ground, including:

• Mitch’s background, both at Wiz and inside Government at roles such as OMB
• How Wiz is working with Federal agencies and Defense Industrial Base (DIB) partners on Cloud Security, including the long-needed overhaul of FedRAMP with FedRAMP 20x’s efforts.
• The move towards real Continuous Monitoring (ConMon) with real-time visibility of cloud environments, as well as the need for machine-readable artifacts, automations, and streamlined security control assessments.
• The modernization of vulnerability management, including factors such as attack paths, reachability, exploitability, known exploitation, and the importance of focusing on real risks versus noise.
• Moving away from paper-based compliance exercises and bridging the gap between security and compliance.
• Wiz’s role as a CVE Numbering Authority (CNA) and the broader CVE program, including its importance for both the Government and industry when it comes to vulnerability management.
• To evolving usage of SBOMs and broader supply chain security.
• Disjointed efforts around the Government at both the Federal at State levels when it comes to Continuous ATO (cATO) and how we can move towards a more cohesive approach to modern system assessment and authorization.
• The importance of Government Affairs and bridging the divide between industry and Government, including bringing in tech leaders into Government, influencing policy, and improving outcomes for citizens and warfighters alike.
• The dual-edged sword that is AI adoption in the public sector.

In this episode of Resilient Cyber, I sit down with Founder & CEO of Paramify, Kenny Scott, to unpack the evolution of the FedRAMP program, FedRAMP 20x, and discuss what the public sector cloud compliance looks like moving into the future.

Kenny and I dove into a lot of topics, including:

• What FedRAMP is and why it matters
• What FedRAMP 20x is and what longstanding challenges associated with FedRAMP and public sector cloud and compliance it is addressing
• The various aspects of FedRAMP 20x, including its phased rollout
• Changes via FedRAMP 20x when it comes to Key Security Indicators (KSI), and how they differ from “controls”
• FedRAMP’s modern vulnerability management approach and how it changes from the way vulnerability was historically handled under FedRAMP
• The importance of automated assessments, machine-readable artifacts, real Continuous Monitoring (ConMon), and more for practical GRC Engineering
• The role of GRC platforms when it comes to modernizing GRC
• What are the implications of FedRAMP 20x for other public sector compliance programs, such as DoD’s SWFT, SRG, and RMF

• Subscribe now

In this episode of Resilient Cyber, I sit down with repeat guest Snehal Antani, who serves as the Co-Founder & CEO of Autonomous Pen Testing leader Horizon3.ai.

We will discuss the latest developments in AI and Autonomous Pen Testing, as well as the tremendous growth and success of Horizon3.ai, as Snehal balances technical topics with business-centric hard won wisdom of growing an industry leading organization.