There was no ready-made guide to follow.
No earlier version to reference.
No well-grounded knowledge of how this model truly performed in real-world conditions.
At the same time, we weren’t attempting to tackle FedRAMP 20x the way conventional compliance efforts are handled.
We created direct API connections that enabled FedRAMP and auditors to retrieve comprehensive machine-readable datasets in JSON format straight from the platform. Human-readable exports were still available where necessary, but the priority was revealing real operational data rather than assembling curated, static proof.
That’s also one of the foundational ideas driving FedRAMP 20x itself. Controls are increasingly expected to be both machine-readable and human-readable. The fundamental expectation is that a significant share of controls should be automated, with continuous evidence flowing behind them rather than static evidence being manually compiled ahead of an audit.
In practical terms, this means auditors no longer simply examine a snapshot evidence package. Instead, they obtain ongoing access to operational datasets and can probe those environments in a far more dynamic fashion.
This represents a fundamentally different way of thinking compared to traditional compliance.
And truthfully, I believe that distinction is part of what made the entire experience so worthwhile.
We didn’t fail. We iterated
Because I don’t genuinely believe what occurred next was a failure.
I consider it iteration.
Today’s engineering teams don’t deliver flawless software on their initial attempt. They test, reconstruct, refine, enhance, and iterate continuously driven by telemetry and feedback.
Software applications go through:
- Testing
- User feedback
- Redesign
- Bug fixing
- Telemetry analysis
- Continuous improvement
No one anticipates version one to be flawless.
Yet historically, GRC has operated in a completely different manner.
Build the controls.
Gather the evidence.
Pass the audit.
Do it all again the following year.
The audit becomes the finish line. Our finish line turned into a “solid effort,” “we believe you’re on track for a Low authorization, but not quite Moderate yet.” For a brief moment, it felt like failure. It stung. It felt fundamentally unlike any other evaluation or audit because we genuinely had no clear sense of what we had accomplished. In reality, FedRAMP 20x feels fundamentally different, and perhaps that’s the entire point.
The process itself became the feedback.
Not: Can you craft a persuasive enough narrative?
But: What does your environment genuinely resemble, and how do you continuously strengthen it?
That represents an entirely different way of thinking.
A recurring theme throughout FedRAMP 20x is that assurance should advance through ongoing iteration rather than yearly point-in-time validation.
Precisely.
That’s how engineering operates.
The Low authorization wasn’t the final destination. It was a checkpoint and a recalibration point that guided us toward where the next iteration needed to head.
And truthfully, if you can fast-track Moderate FedRAMP with immaculate dashboards and no uncomfortable realities surfacing, then the framework likely isn’t fulfilling its purpose.
That’s one of the aspects I genuinely value about FedRAMP 20x.
It tests your assumptions.
It compels you to reconsider approaches that have become standard practice across broad segments of the compliance industry.
In the past, demonstrating infrastructure security often involved screenshots or exported configurations. Now we can expose every virtual machine, every drift event, and the complete history of posture changes across the environment.
This dramatically shifts behavior because you can no longer optimize around the cleanest possible sample. You must sustain the actual posture at all times.
In the past, demonstrating SDLC maturity meant cherry-picking a small number of pull requests. Now we can expose the full workflow, including every bypassed approval or manual deployment into production.
In the past, demonstrating identity governance meant sampled joiner/mover/leaver reviews. Now we can expose the operational history of the entire identity lifecycle spanning years.
And honestly, that was one of the areas that challenged some of our own assumptions the most profoundly.
Traditional sampled evidence can make processes appear consistently successful because you’re only examining hand-picked examples. But operational truth tells a different story. A single joiner, mover, or leaver process that fails in the wrong way is all it takes for the risk to materialize.
That’s precisely the kind of issue that continuous operational visibility uncovers far more rapidly than traditional evidence collection ever could.
This isn’t merely better evidence.
It represents an entirely different philosophy of assurance.
The rise of GRC engineering
And this is where I believe GRC engineering becomes genuinely significant.
Not because everyone abruptly needs to transform into a software engineer, but because the discipline itself is shifting from a documentation exercise into an operational engineering challenge.
Modern GRC teams are progressively building telemetry pipelines, integrations, APIs, infrastructure visibility, and continuous assurance layers. And truthfully, some of those pipelines are considerably more difficult to construct than people assume. Cloud infrastructure, CSPM tooling, and application security platforms are relatively approachable because the data is already fairly structured and accessible. The truly challenging components are the messy operational systems that organizations historically managed through process and human coordination.
Items like policy management workflows, budget approvals, software bill of materials tracking, and non-standard operational processes are far harder to standardize and expose consistently.
That’s another reason this shift carries such weight. It compels organizations to operationalize areas that historically resided in spreadsheets, meetings, or institutional knowledge.
That demands a very different skillset from managing spreadsheets and coordinating screenshots.
More importantly, it transforms the conversations.
One of the things I valued most throughout the FedRAMP 20x process was that discussions progressively stopped being: How do we satisfy this control?
And evolved into: What risk are we genuinely trying to mitigate here?
That represents a far healthier conversation for security teams to engage in. Because not every risk carries equal weight for every organization. Not every control tangibly strengthens security posture. Not every framework requirement warrants the same level of operational investment.
Traditional compliance frequently struggles with that nuance because it optimizes around consistency and uniformity.
Modern engineering-led assurance feels different.
It feels more contextual, more operational, and truthfully far more honest.
And truthfully, honesty is probably the most significant element missing from large portions of compliance today.
We’ve constructed an industry where everyone feels pressure to appear perfect.
Impeccable dashboards. Flawless controls. Ideal audit outcomes.
But real engineering environments are never perfect.
They contain bugs, drift, exceptions, failures, temporary workarounds, and peculiar edge cases.
That doesn’t automatically mean the environment is insecure. It means it’s real.
I genuinely believe one of the most significant mindset shifts that FedRAMP 20x and the broader GRC engineering movement are driving is this: nonconformities
Errors and issues shouldn’t automatically erode confidence. When dealt with properly, they should actually strengthen it.
Because mature organizations aren’t the ones pretending that problems don’t exist. They’re the ones that can spot issues quickly, address them openly, and keep getting better. That’s what engineering looks like. And perhaps that’s where compliance finally starts to regain its usefulness.
The future of trust
For organizations taking part in the current pilot programs, many of these ideas are already being put to the test through automation-driven assessments, machine-readable evidence, and ongoing transparency. FedRAMP 20x Phase 2.
Because right now, most compliance still operates as if we’re printing out MapQuest directions in 2004 and just hoping that nothing along the route has changed.
The environment shifts constantly. Cloud infrastructure drifts, engineers move fast, businesses evolve, and threat actors adapt far more quickly than yearly audits ever could.
Yet most assurance still depends on frozen snapshots and sampled evidence that were already outdated the moment they were exported into a PDF.
That’s the part I believe FedRAMP 20x truly grasps. This isn’t merely about updating the way audits are conducted. It’s about recognizing that modern systems are living, breathing entities.
They are short-lived, always in flux, and impossible to fully understand through static evidence alone.
That’s why the shift toward APIs, telemetry, and machine-readable evidence is so significant.
Not because APIs happen to be in vogue.
Because they enable us to reveal operational truth on an ongoing basis rather than piecing it together periodically after the fact.
And honestly, I believe this reshapes the future of trust.
In five years, I don’t think organizations will primarily be sending customers PDFs and certifications.
I think they’ll be exposing layers of assurance.
APIs.
Telemetry.
Machine-readable evidence.
Instead of saying: Here’s our SOC 2.
They’ll say: Here’s the operational data. Run your own queries against it.
Auditors won’t go away, but I believe their role shifts considerably.
Less time reviewing handpicked screenshots and selected controls. More time verifying whether the underlying evidence pipelines are thorough, precise, and reliable.
Modern auditing becomes less about evaluating controls and more about assessing data integrity.
And honestly?
That feels like a far healthier future than the one we’ve constructed so far.
Because the future of trust probably isn’t polished dashboards and carefully curated evidence. It’s operational truth, and operational truth is messy. It contains drift, exceptions, workarounds, gaps, and uncomfortable findings, but that’s precisely what makes it valuable.
Stop rewarding the best storytellers
Perhaps that’s the most significant change FedRAMP 20x is attempting to bring about. Not better paperwork. Better transparency.
For years, we’ve been rewarding organizations for crafting the cleanest narrative. Maybe it’s finally time we reward them for exposing the truth instead. That’s the revolution that FedRAMP 20x and GRC engineering are spearheading.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
