Ethan Troy on FedRAMP 20x, GRC Engineering, and Building AI Agents

Ethan Troy's Path to GRC Engineering

Ethan's background is anything but conventional. He started as a full-stack developer, served as a medic in the Army National Guard, worked at Balmer Shock Trauma in trauma medicine, responded to emergencies at NASA Greenbelt, and was even on track for nursing school before life took a turn.

A chance lunch with a friend working at Ernst & Young changed his trajectory. That friend described IT auditing, and Ethan was like,: that sounds easy.

He earned a Security+ certification, joined Coalfire as an assessor, and quickly rose to leading a team.

Along the way, he built GRC tooling, advised organizations like Blue Cross on replacing legacy platforms, and developed a reputation for shipping products at breakneck speed.

Now at TRM Labs, a blockchain intelligence company helping financial institutions, crypto businesses, and government agencies detect and investigate crypto-related financial crime,

Ethan is now building his own GRC program from the ground up — only three weeks in and it’s already making waves.

Why GRC Is More Than a Paper-Pushing Exercise

GRC deserves more respect than it typically gets.

When people hear "cybersecurity," they think pen testing, red teaming, and threat hunting. Meanwhile, GRC is dismissed as the boring compliance cousin.

But as Ethan and Isaac both point out, GRC brings everything together. You have to understand the code, the compliance frameworks, the legal landscape, and the human dynamics that hold it all together.

To be effective, you need empathy. You have to have the ability to sit between a legal team, an engineering team, and a security team and translate across all three.

Isaac put it well: the reason GRC is interesting is that it sits at the intersection of the deeply technical and the non-technical.

It's where things actually get done.

And with AI adding another layer of complexity, GRC professionals now need to understand a new kind of technology that blurs the lines between people, process, and technology.

The Two Big Problems With Legacy FedRAMP

Kenny didn't mince words about what's broken with the legacy FedRAMP model. He outlined two core issues that have plagued the program for years.

Problem 1: An Agency Cannot Accept Risk for the Entire Federal Government

The legacy FedRAMP model assumed that one agency's authorization could serve as a blanket approval across government.

That's not how risk management works.

Every agency has its own mission, its own threat profile, and its own tolerance for risk. An authorization from one agency doesn't — and shouldn't — mean every other agency can blindly trust the same service.

Agencies need the ability to make their own informed decisions about whether to bring a cloud service into their environment.

Problem 2: The Cost-to-Value Ratio Is Broken

Getting a FedRAMP authorization under the legacy model was extraordinarily expensive.

Organizations would spend months or years producing massive documents, only to have an assessor sit in a room and ask questions that the interviewee answered by reading from the System Security Plan (SSP).

As Ethan described it: assessors would conduct interviews, and the interviewees would literally read the SSP back to them. It's a glorified fact-check against a document that may or may not reflect reality.

That's not adding value to anyone.

The SSP Is Dead — Long Live the SSDR

Hot off the press from FedRAMP Director Pete Waterman: the System Security Plan is getting a rebrand. It will now be called the System Security Decision Record (SSDR).

The name change reflects a fundamental shift in intent.

The SSP was supposed to outline what you decided about your security posture. But instead, it became a narrative exercise disconnected from reality. The SSDR reframes the document as what it should have always been: a record of actual security decisions.

As Kenny put it: just because the SSP says you use Splunk to monitor your system doesn't mean that's what's actually happening. FedRAMP 20x is pushing the industry toward evidence-based, machine-readable validation — not 400-page Word documents.

And for those still wondering: Pete Waterman has confirmed that "document" doesn't mean .docx. It never did.

FedRAMP 20x: A Competitive Marketplace for Cloud Security

In the meat aisle, you see the bare minimum, USDA-inspected beef. But you also see local, organic, grass-fed, imported options at every price point. Consumers get to choose based on their budget and their standards.

That's the vision for FedRAMP 20x. Instead of a single, monolithic authorization that tries to be everything to everyone, agencies get a marketplace.

Some agencies need the premium, highest-assurance option. Others just need the basics. Both are valid choices — and both deserve clear, comparable information to make that decision.

This shift has massive implications for competition. Under the legacy model, the federal marketplace was effectively a monopoly for a handful of authorized providers. With 20x, smaller and more innovative services can realistically enter the federal space. This includes orgs like Digital Ocean, niche SaaS platforms, and next-gen security tools.

‍
→ Simplify FedRAMP 20x: Get a video demo of Paramify

The Consulting Industry Must Pivot

If your business model is built on milking the inefficiencies of legacy compliance, you're going to get disrupted.

Ethan is blunt about it: consulting firms that bill by the hour have no incentive to make things faster or better. The structure even rewards complexity. But, FedRAMP 20x flips that model.

If a consultant can get you authorized in less time at higher quality, the question becomes: would you pay a premium for that?

The answer is almost always yes — because faster authorization means faster time to market, faster revenue, and a System Security Decision Record that's actually true on an ongoing basis.

The takeaway for consultants and advisors: shift from billing hours to billing outcomes. If you can deliver better results faster, you're much more valuable.

Vulnerability Management in the Age of AI

The conversation turned to the FedRAMP VDR (Vulnerability Detection and Response) standard and why incident response timelines are collapsing.

There was a time when reporting an incident within 12 to 24 hours was the gold standard. That era is over.

The average time to exploitability has shrunk exponentially. Down to less than a day in some scenarios. This is driven by AI capabilities that can identify and weaponize vulnerabilities at machine speed.

For critical systems holding veterans' information or supporting deployed military units, a 12-hour response window is unacceptable.

This is why the new VDR standard focuses on what actually matters: is the vulnerability internet-reachable? Is it likely exploitable? What's the real-world path an attacker would take?

This aligns with Pete Waterman's frequently cited Mission Impossible analogy: nine times out of ten, you don't need to worry about Tom Cruise rappelling through the ceiling. The average threat actor is looking for the easiest way in — cash, data, ransomware. Focus your defenses accordingly.

Defense in Depth Over Single Points of Failure

Isaac drives home a critical security principle: assume breach has already happened.

No matter how good your firewall is — whether it's Palo Alto, Cisco, or AWS WAF — it can't be the only thing standing between your sensitive data and the internet.

The Secure Configuration Guide that FedRAMP has started to implement is a step in the right direction. For many cloud services, the low-hanging fruit is simply configuring things correctly. These cover the 5-10 security levers that prevent the vast majority of common attacks if they’re set up properly.

But the industry still has work to do. Ethan points out that services like GitHub often don't publish the best security configuration guides for their own platforms. It took a company like Wiz to put together a better guide than GitHub did for itself.

GRC Platforms Are Competing Against Spreadsheets

One of the most memorable lines from Ethan: GRC platforms aren't competing against each other - they're competing against spreadsheets.

He's not wrong. When a GRC tool is slower than Excel for bulk updates, when you can't drag a formula across 200 rows, when the interface adds friction instead of removing it - the spreadsheet wins every time.

Paramify's approach has been transparency. The platform's evidence collection scripts are in an open GitHub repository. The logic is deterministic. Auditors can see exactly how evidence was collected, verify the API calls, and trust the output. That's a fundamentally different value proposition than a black-box platform that just shows green checkmarks.

As the industry matures, the real differentiation won't be in basic evidence collection - that's a solved problem. It will be in how platforms create relationships between data points, surface deeper insights, and enable real-time continuous monitoring.

Building AI Agents for GRC That Actually Work

Ethan Troy has become known for building AI agents for GRC workflows. Here’s his practical advice for the rest of us.

Start With Real Problems, Not Cool Tech

Don't automate for the sake of automating. Ethan built tools for the team at his previous role — tools like enhanced CSF (Cybersecurity Framework) control browsers that helped his analysts stop memorizing control IDs and start solving actual problems.

The value wasn't in the tool itself; it was in freeing up cognitive bandwidth for higher-order thinking.

Iterate Fast, Kill Fast

With AI, you can prototype something in hours that used to take weeks. That's a superpower, but only if you're willing to throw away what doesn't work.

Ethan's approach: build it quickly, test it with real users, and don't get attached.

Most of what you build will be garbage. The point is to find the 10% that isn't.

Don't One-Shot Complex Problems

LinkedIn is full of people claiming they replaced Slack or built an entire platform in a weekend with AI. But, that's not reality.

Real platforms are built on integrations, upkeep, edge cases, and years of iteration. AI gives you a faster starting line rather than a finish line.

Domain Expertise Still Matters

Most importantly, the most successful AI agents are roughly 85% deterministic code and 15% AI. The domain knowledge — the understanding of GRC pitfalls, framework nuances, and stakeholder dynamics — is what makes the difference between a demo and a production system.

Someone with deep GRC experience will always outperform a Silicon Valley newcomer who just decides to "build a platform."

Domain expertise combined with AI is a powerful combination.

Key Takeaways

FedRAMP 20x is creating a competitive marketplace where agencies can make informed risk decisions, not rubber-stamp inherited authorizations.
The SSP is becoming the SSDR (System Security Decision Record) — a shift from narrative fiction to documented decisions.
Consulting must pivot from hours to outcomes. If your business depends on inefficiency, you're already behind.
Vulnerability response windows are collapsing. AI-driven exploitability means 12-hour response times are no longer acceptable for critical systems.
GRC platforms must beat the spreadsheet - not just other platforms. Transparency and deterministic evidence collection are table stakes.
AI agents should solve real problems, not just look impressive on LinkedIn. Start with your team's actual pain points and iterate relentlessly.
Domain expertise + AI = the winning combination. Neither alone is sufficient.

The Opportunity Ahead

The shift Ethan describes is here, not way off in the distance. The compliance industry is being forced to grow up fast and the organizations that will thrive are the ones that embrace the opportunity.

Paramify was built to help your GRC team make this transition.

While your competitors are still updating 1,800-page SSPs by hand, Paramify automates evidence collection, generates OSCAL-native outputs, and produces ATO packages in 1–7 days — at a fraction of the cost of legacy approaches. The evidence collection scripts are open source. The logic is deterministic. Auditors can verify every API call. No black boxes. No compliance theater.

You need a platform that adapts with the standard, not one you’ll have to rip out in 18 months. Paramify's architecture was designed around First Principles Risk Management: understand the actual security decision, automate the evidence, and skip the narrative fiction.

The best time to modernize was before the standard changed. The second best time is now.

→ Schedule your demo below to see how Paramify can help you adapt to the future of GRC.

Listen to the Full Episode

Catch the full conversation with Ethan Troy on the Paramify Podcast. Want to see how Paramify is helping organizations navigate FedRAMP 20x? Request a demo video or live demo to learn more.

Keaton Olson

With over a decade of experience creating content and running social for brands, Keaton manages all of Paramify's social accounts, leads the team behind all social and video content, and produces and manages the Paramify podcast. His goal is simple: make Paramify the most recognized name in GRC. When he's not working, Keaton is a creative at heart who enjoys making music, creating art, and hitting the slopes whenever he can.

May 2026

Frequently Asked Questions

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Can compliance advisors or consultants work in Paramify with us, and does it help with managed-service models?

Absolutely. Paramify is used by many advisory partners, RPOs, and MSPs to guide, generate, and manage documentation, perform gap assessments, facilitate policy/procedure drafting, and oversee remediation activities. Advisors can fill out templates, manage controls, and generate client-ready documents.

‍

We have privacy or compliance concerns, can we restrict what external reviewers can access?

Yes, you can assign role-based access controls in Paramify. Advisors or auditors can be given access only to certain programs, assessment and their related evidence.

Sensitive information can be withheld or redacted as needed, and only authorized reviewers see specific items.

‍

Can auditors or advisory partners get direct access to our Paramify environment, or do we have to export everything for them?

Yes, Paramify allows external assessors/auditors and advisors to be invited as users, with controlled permission levels. They can review specific evidence, policies, SSPs, POA&Ms, or assessment modules without accessing broader company data.

Documentation — such as Appendix A, SSPs, procedures, and POAMs — can also be exported in multiple standard formats (Word, Excel, OSCAL, EMASS, PDF) as needed.

Can I get matched with an Advisor based on my specific needs?

Yes. You can use the Get Matched feature on our website. We will review your specific compliance goals and connect you with the partner best suited for your industry and timeline.

How do Advisors use Paramify during a FedRAMP engagement?

Advisors use Paramify to conduct Gap Assessments, map controls, Automate SSPs, and manage POA&Ms.

Instead of spending months writing Word documents, the Advisor inputs the system architecture and control implementations into Paramify, which then generates the required NIST-formatted documentation.

Does Paramify compete with its Advisors?

No. Paramify is a software company. We do not offer independent audit or long-term consulting services. Our goal is to empower Advisors with better tools so they can serve more clients effectively.

‍

What are the different partner tiers?

We feature Premier Partners prominently on our site. These are firms that have demonstrated a high level of proficiency with the Paramify platform and have successfully helped many clients through the authorization process using our tools.

How do I become an official Paramify Advisor Partner?

We look for firms with a proven track record in federal compliance. If you are interested in joining our network and leveraging our automation products, you can reach out via our contact page or schedule a demo to see how our tools fit into your workflow.

What is the benefit of using an Advisor who uses Paramify vs. one who doesn't?

Advisors using Paramify can accelerate your implementation and typically deliver documentation in a fraction of the time it takes without Paramify. This means:

Faster Implementation: An accelerated implementation roadmap keeps timelines predictable.
Lower Costs: Reduced manual consultant hours.
Higher Accuracy: Automation eliminates the "copy-paste" errors common in traditional SSPs.‍
Easier Maintenance: Your Advisor can help you manage POA&Ms and continuous monitoring within the platform.

Does working with an Advisor on this list guarantee FedRAMP or CMMC authorization?

No firm can "guarantee" authorization, as the final decision rests with the government authorizing body (e.g., the FedRAMP PMO or the DoD).

However, working with a Paramify Advisor significantly reduces the risk of documentation errors and ensures your package is built on a technically sound, automated foundation.

‍

How do I choose the right Advisor for my organization?

Our Advisor page allows you to filter partners by their specific expertise, such as FedRAMP, CMMC, FISMA, or GovRAMP.

Why does Paramify partner with Advisors?

Paramify is an “Iron Man suit” for GRC experts. We provide automation technology to generate and manage compliance documentation (like SSPs snd POA&Ms) while Advisors provide the expert human oversight and implementation expertise.

Together, we offer a "best-of-both-worlds" solution: expert consulting powered by industry-leading automation and risk management planning.

What is the Paramify Advisor Partner Network?

The Paramify Advisor Partner Network is a curated group of cybersecurity and compliance firms — including CMMC Registered Practitioner Organizations (RPOs) and accredited 3PAOs — that use Paramify’s platform to deliver faster, more accurate compliance outcomes for their clients.

I already have an advisor or very capable GRC team. Why do I need Paramify?

Use Paramify's Risk Solution platform to automate ATO packages, improving cost efficiency, speed, and accuracy. This frees your team to focus on more valuable efforts like security posture enhancement and compliance improvements.