“Once you’re in Hotel FedRAMP, you can’t leave.” Jason Oksenhendler, Cybersecurity Director of FedRAMP®/GovRAMP at Baker Tilly x Moss Adams, sits down with Kenny and Isaac to talk about FedRAMP’s past, how 20x is shaping the future, and why nobody ever really checks out of Hotel FedRAMP. 👉  Key Takeaways: • FedRAMP 20x was a “hand grenade” for everyone’s roadmap, and it’s already transforming compliance speed and evidence collection.  • Risk-first programs survive change — smart architecture and design decisions matter more than chasing checklists.  • Flexibility vs. rigor — 20X offers new freedom, but assessors must still enforce strong security.  • Collaboration wins — assessors and CSPs working together can turn impossible timelines into success. Learn more about Jason: https://www.linkedin.com/in/jason-oksenhendler/ Learn more about Baker Tilly x Moss Adams: https://www.bakertilly.com/ https://www.mossadams.com/ Learn more about Kenny: https://www.linkedin.com/in/kenny-g-scott/ Learn more about Isaac: https://www.linkedin.com/in/isaacteuscher/  Learn more about Paramify:  https://www.paramify.com/   Timestamps: 00:00 – Moss Adams x Paramify team-upJason recounts how a shared client pushed both teams into the deep end of 20X, asking to include the auditors before Paramify even had an assessment portal built. 01:00 – Less than two-week deadlineThe group describes the chaos of spinning up a 20X package in record time, with Rob (the auditor) agreeing to figure things out alongside them. 01:44 – Submitting against moving targetsJust as the package was ready to go, the final low 20X KSIs dropped — forcing last-minute changes and stress. 02:24 – Nature of FedRAMP changeJason compares FedRAMP shifts to “big boulders” coming at you, not “mousy” tweaks — change is always disruptive and massive. 02:56 – Success despite chaosTeams (Paramify, Flock, Baker Tilly) pulled it together, got the package in on time, and landed among the first four 20X submissions posted publicly. 03:07 – The reality checkJason: not everything in FedRAMP is “dillydallying” — clients, deadlines, and bills make delivery non-negotiable. 03:13 – Official podcast kickoffKenny introduces the episode: Jason Oksenhendler (Baker Tilly, formerly Moss Adams), and Paramify’s “rising star” Isaac Teuscher. 04:01 – Jason’s career origin storyFrom news anchor ➝ IT tech writer ➝ into FedRAMP (starting around NIST 800-53 Rev 2). 05:40 – First FedRAMP assignmentJason recalls his boss handing him a paper: “Go do FedRAMP.” He walks through early JAB/ISSO processes, feedback loops, and working with Matt Goodrich and Ashley Mahan. 11:43 – Co-creating the FedRAMP High BaselineJason describes working with DoD’s Ron Rice to build the High Baseline from scratch. 13:00 – Early FedRAMP painMicrosoft Word & Excel “hell,” endless regurgitated control statements, and why some CSPs made assessors want to “bang their heads on the desk.” 15:32 – “You could do a Seinfeld routine on this crap.”Jason on version control disasters and 600-page SSP reviews without track changes. 17:30 – Culture shock of changeReactions to FedRAMP 20X mirror the same resistance to earlier shifts — but it’s always been “do once, use many.” 20:00 – Continuous monitoring realityJason emphasizes executive buy-in as essential, recalling how ConMon and POA&Ms separate prepared orgs from overwhelmed ones. 22:50 – FedRAMP rigor vs. other frameworksJason argues FedRAMP is among the toughest frameworks, on par with DoD IL4-6. 25:00 – 20X blows up the roadmapKenny calls 20X a “hand grenade” for Paramify’s product plans. 29:00 – Cross-team collaborationJason highlights how six strangers in a Slack channel worked seamlessly under pressure — “like a chocolate fountain.” 34:00 – 20X flexibility vs. rigorJason explains the challenge of balancing new freedoms with maintaining strong security. 38:00 – Scaling 20X & future baselinesSpeculation about moderate and high 20X baselines and how CSPs will adapt. 46:00 –