<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet href="/stylesheet.xsl" type="text/xsl"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:podcast="https://podcastindex.org/namespace/1.0">
  <channel>
    <atom:link rel="self" type="application/rss+xml" href="https://feeds.transistor.fm/the-38north-security-podcast" title="MP3 Audio"/>
    <atom:link rel="hub" href="https://pubsubhubbub.appspot.com/"/>
    <podcast:podping usesPodping="true"/>
    <title>The 38North Security Podcast</title>
    <generator>Transistor (https://transistor.fm)</generator>
    <itunes:new-feed-url>https://feeds.transistor.fm/the-38north-security-podcast</itunes:new-feed-url>
    <description>Join us as we discuss news and current events, trends, and controversies in the world of cybersecurity. We have strong feelings and they're not limited to FedRAMP, CMMC, FISMA, IRAP, security engineering, or documentation. Anything goes -- some of the things we say are probably even helpful! Interested in having words? Email us at info@38northsecurity.com.</description>
    <copyright>© 2026 38North Security</copyright>
    <podcast:guid>35780ee0-5dcb-5e91-8c62-7cd1cc67742c</podcast:guid>
    <podcast:locked>yes</podcast:locked>
    <language>en</language>
    <pubDate>Thu, 02 Jul 2026 12:10:04 -0400</pubDate>
    <lastBuildDate>Thu, 02 Jul 2026 12:10:33 -0400</lastBuildDate>
    <image>
      <url>https://img.transistorcdn.com/xVz3Q6vRIO8afrcbMOPq8ijm00ss1DzPwR0ipGrJyvo/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS9zaG93/LzQ5MjM0LzE3MDY2/MzQ4NDEtYXJ0d29y/ay5qcGc.jpg</url>
      <title>The 38North Security Podcast</title>
    </image>
    <itunes:category text="Technology"/>
    <itunes:category text="Business"/>
    <itunes:type>serial</itunes:type>
    <itunes:author>38North Security</itunes:author>
    <itunes:image href="https://img.transistorcdn.com/xVz3Q6vRIO8afrcbMOPq8ijm00ss1DzPwR0ipGrJyvo/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS9zaG93/LzQ5MjM0LzE3MDY2/MzQ4NDEtYXJ0d29y/ay5qcGc.jpg"/>
    <itunes:summary>Join us as we discuss news and current events, trends, and controversies in the world of cybersecurity. We have strong feelings and they're not limited to FedRAMP, CMMC, FISMA, IRAP, security engineering, or documentation. Anything goes -- some of the things we say are probably even helpful! Interested in having words? Email us at info@38northsecurity.com.</itunes:summary>
    <itunes:subtitle>Join us as we discuss news and current events, trends, and controversies in the world of cybersecurity.</itunes:subtitle>
    <itunes:keywords>cybersecurity, FedRAMP, IRAP, CMMC</itunes:keywords>
    <itunes:owner>
      <itunes:name>Ingrid Woodley</itunes:name>
    </itunes:owner>
    <itunes:complete>No</itunes:complete>
    <itunes:explicit>No</itunes:explicit>
    <item>
      <title>Refresher: What's in The FedRAMP Modernization Memo?</title>
      <itunes:season>1</itunes:season>
      <podcast:season>1</podcast:season>
      <itunes:episode>1</itunes:episode>
      <podcast:episode>1</podcast:episode>
      <itunes:title>Refresher: What's in The FedRAMP Modernization Memo?</itunes:title>
      <itunes:episodeType>full</itunes:episodeType>
      <guid isPermaLink="false">f064207f-6aa8-49aa-b7a2-3a0a7fe1432b</guid>
      <link>https://share.transistor.fm/s/e4c41730</link>
      <description>
        <![CDATA[<p>We're about to see significant changes in the way FedRAMP is managed: automation, more pathways to authorization, and no more JAB. It's all in the name of modernization, baby! Well, that and the undeniable fact that the process to get more offerings in the FedRAMP marketplace needs to be much, much faster. But what does it all mean? How will it affect CSPs' efforts to get ATO? Matt Strasburg answers.</p>]]>
      </description>
      <content:encoded>
        <![CDATA[<p>We're about to see significant changes in the way FedRAMP is managed: automation, more pathways to authorization, and no more JAB. It's all in the name of modernization, baby! Well, that and the undeniable fact that the process to get more offerings in the FedRAMP marketplace needs to be much, much faster. But what does it all mean? How will it affect CSPs' efforts to get ATO? Matt Strasburg answers.</p>]]>
      </content:encoded>
      <pubDate>Tue, 30 Jan 2024 15:51:03 -0500</pubDate>
      <author>38North Security</author>
      <enclosure url="https://media.transistor.fm/e4c41730/37144ca3.mp3" length="23952448" type="audio/mpeg"/>
      <itunes:author>38North Security</itunes:author>
      <itunes:duration>1498</itunes:duration>
      <itunes:summary>
        <![CDATA[<p>We're about to see significant changes in the way FedRAMP is managed: automation, more pathways to authorization, and no more JAB. It's all in the name of modernization, baby! Well, that and the undeniable fact that the process to get more offerings in the FedRAMP marketplace needs to be much, much faster. But what does it all mean? How will it affect CSPs' efforts to get ATO? Matt Strasburg answers.</p>]]>
      </itunes:summary>
      <itunes:keywords>FedRAMP, cybersecurity</itunes:keywords>
      <itunes:explicit>No</itunes:explicit>
    </item>
    <item>
      <title>FedRAMP: Goodbye FedRAMP JAB! Hello TAG, Board, and FSCAC!</title>
      <itunes:season>1</itunes:season>
      <podcast:season>1</podcast:season>
      <itunes:episode>2</itunes:episode>
      <podcast:episode>2</podcast:episode>
      <itunes:title>FedRAMP: Goodbye FedRAMP JAB! Hello TAG, Board, and FSCAC!</itunes:title>
      <itunes:episodeType>full</itunes:episodeType>
      <guid isPermaLink="false">a8ab64ee-170b-4ff7-aa26-18c73068b88a</guid>
      <link>https://share.transistor.fm/s/c6208312</link>
      <description>
        <![CDATA[<p>FedRAMP just came out with *three* new bodies governing the program going forward: the TAG, the Board, and the FSCAC. There's a lot of uncertainty right now, not to mention confusion and misinformation. Why are these changes happening? What does it mean for CSPs, 3PAOs, and agencies? Is the JAB gone?!! Matt Strasburg and Jeremiah Thompson shed light on these massive changes and discuss their wide-reaching impact.</p>]]>
      </description>
      <content:encoded>
        <![CDATA[<p>FedRAMP just came out with *three* new bodies governing the program going forward: the TAG, the Board, and the FSCAC. There's a lot of uncertainty right now, not to mention confusion and misinformation. Why are these changes happening? What does it mean for CSPs, 3PAOs, and agencies? Is the JAB gone?!! Matt Strasburg and Jeremiah Thompson shed light on these massive changes and discuss their wide-reaching impact.</p>]]>
      </content:encoded>
      <pubDate>Mon, 10 Jun 2024 06:00:00 -0400</pubDate>
      <author>38North Security</author>
      <enclosure url="https://media.transistor.fm/c6208312/3975ea03.mp3" length="30777581" type="audio/mpeg"/>
      <itunes:author>38North Security</itunes:author>
      <itunes:duration>1926</itunes:duration>
      <itunes:summary>
        <![CDATA[<p>FedRAMP just came out with *three* new bodies governing the program going forward: the TAG, the Board, and the FSCAC. There's a lot of uncertainty right now, not to mention confusion and misinformation. Why are these changes happening? What does it mean for CSPs, 3PAOs, and agencies? Is the JAB gone?!! Matt Strasburg and Jeremiah Thompson shed light on these massive changes and discuss their wide-reaching impact.</p>]]>
      </itunes:summary>
      <itunes:keywords>FedRAMP, cybersecurity, compliance</itunes:keywords>
      <itunes:explicit>No</itunes:explicit>
    </item>
    <item>
      <title>GovRAMP: What Is It, Anyway?</title>
      <itunes:season>2</itunes:season>
      <podcast:season>2</podcast:season>
      <itunes:episode>1</itunes:episode>
      <podcast:episode>1</podcast:episode>
      <itunes:title>GovRAMP: What Is It, Anyway?</itunes:title>
      <itunes:episodeType>full</itunes:episodeType>
      <guid isPermaLink="false">f2a568f1-4a8b-43f7-b3f6-0a2ebf9b8b6a</guid>
      <link>https://share.transistor.fm/s/5ee31eeb</link>
      <description>
        <![CDATA[<p>Welcome to Part 1 of our <em>GovRAMP Mini-Series</em>—a quick, focused look at what GovRAMP is, why it matters, and how cloud service providers can use it to unlock the public sector. </p><p><br>In this episode, we tackle the basics: What exactly is GovRAMP? Why the rebrand from StateRAMP? And is this more than just a name change? </p><p><br><strong>Elizabeth Lopez</strong> helps us break it down. Liz, one of our cloud security technical writers here at 38North Security, has been deep in the weeds of policy, frameworks, and language—so she’s the perfect person to walk us through what GovRAMP is really all about. </p>]]>
      </description>
      <content:encoded>
        <![CDATA[<p>Welcome to Part 1 of our <em>GovRAMP Mini-Series</em>—a quick, focused look at what GovRAMP is, why it matters, and how cloud service providers can use it to unlock the public sector. </p><p><br>In this episode, we tackle the basics: What exactly is GovRAMP? Why the rebrand from StateRAMP? And is this more than just a name change? </p><p><br><strong>Elizabeth Lopez</strong> helps us break it down. Liz, one of our cloud security technical writers here at 38North Security, has been deep in the weeds of policy, frameworks, and language—so she’s the perfect person to walk us through what GovRAMP is really all about. </p>]]>
      </content:encoded>
      <pubDate>Wed, 14 May 2025 17:42:40 -0400</pubDate>
      <author>38North Security</author>
      <enclosure url="https://media.transistor.fm/5ee31eeb/835b0f9c.mp3" length="5934449" type="audio/mpeg"/>
      <itunes:author>38North Security</itunes:author>
      <itunes:image href="https://img.transistorcdn.com/JjqE8UCW06Of6sANpeN2RVIXxpQ1hPAJEhUKW-hLhPk/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS80MGRk/YWY5NWIwNmJiZmU4/NGJlMzYyMjgzNTAw/NGZkZi5wbmc.jpg"/>
      <itunes:duration>369</itunes:duration>
      <itunes:summary>
        <![CDATA[<p>Welcome to Part 1 of our <em>GovRAMP Mini-Series</em>—a quick, focused look at what GovRAMP is, why it matters, and how cloud service providers can use it to unlock the public sector. </p><p><br>In this episode, we tackle the basics: What exactly is GovRAMP? Why the rebrand from StateRAMP? And is this more than just a name change? </p><p><br><strong>Elizabeth Lopez</strong> helps us break it down. Liz, one of our cloud security technical writers here at 38North Security, has been deep in the weeds of policy, frameworks, and language—so she’s the perfect person to walk us through what GovRAMP is really all about. </p>]]>
      </itunes:summary>
      <itunes:keywords>cybersecurity, compliance, FedRAMP, GovRAMP, 38North Security</itunes:keywords>
      <itunes:explicit>No</itunes:explicit>
    </item>
    <item>
      <title>GovRAMP: Why It’s a Smart Growth Move for Cloud Providers</title>
      <itunes:season>2</itunes:season>
      <podcast:season>2</podcast:season>
      <itunes:episode>2</itunes:episode>
      <podcast:episode>2</podcast:episode>
      <itunes:title>GovRAMP: Why It’s a Smart Growth Move for Cloud Providers</itunes:title>
      <itunes:episodeType>full</itunes:episodeType>
      <guid isPermaLink="false">447f6311-0450-4177-bd77-b30259ef42ed</guid>
      <link>https://share.transistor.fm/s/b3dad91b</link>
      <description>
        <![CDATA[<p>This is Part 2 of the <em>GovRAMP Mini-Series</em>. In this episode, we’re digging into the big question: <strong>Why would a cloud provider pursue GovRAMP in the first place?</strong> </p><p><br>We’re joined by <strong>Jeremiah Thompson</strong>, 38North Security's VP of IT and Cloud Solutions. We also have <strong>Matt Strasburg</strong>, Manager of our Cloud Security Advisory practice. Jeremiah’s been in the compliance world for years and brings a pragmatic, strategic lens to why GovRAMP is gaining traction—not just for security reasons, but for smart market growth. Matt, on the other hand, has been pivotal in standing up similar federal programs in past years.</p>]]>
      </description>
      <content:encoded>
        <![CDATA[<p>This is Part 2 of the <em>GovRAMP Mini-Series</em>. In this episode, we’re digging into the big question: <strong>Why would a cloud provider pursue GovRAMP in the first place?</strong> </p><p><br>We’re joined by <strong>Jeremiah Thompson</strong>, 38North Security's VP of IT and Cloud Solutions. We also have <strong>Matt Strasburg</strong>, Manager of our Cloud Security Advisory practice. Jeremiah’s been in the compliance world for years and brings a pragmatic, strategic lens to why GovRAMP is gaining traction—not just for security reasons, but for smart market growth. Matt, on the other hand, has been pivotal in standing up similar federal programs in past years.</p>]]>
      </content:encoded>
      <pubDate>Fri, 16 May 2025 16:41:01 -0400</pubDate>
      <author>38North Security</author>
      <enclosure url="https://media.transistor.fm/b3dad91b/dff841d4.mp3" length="7347225" type="audio/mpeg"/>
      <itunes:author>38North Security</itunes:author>
      <itunes:image href="https://img.transistorcdn.com/Kg5xCqXgxqY3k8u21ZAofRxzz6OOuRov0gL72oGdIzg/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS9kNmNl/Zjg2MjcwNjcyYWM0/YjQxODZlMzQyOWYx/NDkwYS5wbmc.jpg"/>
      <itunes:duration>457</itunes:duration>
      <itunes:summary>
        <![CDATA[<p>This is Part 2 of the <em>GovRAMP Mini-Series</em>. In this episode, we’re digging into the big question: <strong>Why would a cloud provider pursue GovRAMP in the first place?</strong> </p><p><br>We’re joined by <strong>Jeremiah Thompson</strong>, 38North Security's VP of IT and Cloud Solutions. We also have <strong>Matt Strasburg</strong>, Manager of our Cloud Security Advisory practice. Jeremiah’s been in the compliance world for years and brings a pragmatic, strategic lens to why GovRAMP is gaining traction—not just for security reasons, but for smart market growth. Matt, on the other hand, has been pivotal in standing up similar federal programs in past years.</p>]]>
      </itunes:summary>
      <itunes:keywords>cybersecurity, compliance, FedRAMP, GovRAMP, 38North Security</itunes:keywords>
      <itunes:explicit>No</itunes:explicit>
    </item>
    <item>
      <title>GovRAMP: Navigating the Path to Authorization</title>
      <itunes:season>2</itunes:season>
      <podcast:season>2</podcast:season>
      <itunes:episode>3</itunes:episode>
      <podcast:episode>3</podcast:episode>
      <itunes:title>GovRAMP: Navigating the Path to Authorization</itunes:title>
      <itunes:episodeType>full</itunes:episodeType>
      <guid isPermaLink="false">d6b991a6-cfce-4136-a364-93a035d19733</guid>
      <link>https://share.transistor.fm/s/1e776bb2</link>
      <description>
        <![CDATA[<p>Welcome to Part 3, the final episode of our <em>GovRAMP Mini-Series</em>. Over the last two episodes, we’ve covered what GovRAMP is and why companies are pursuing it.</p><p>Today, we’re closing things out by getting tactical—what does the GovRAMP process actually look like from start to finish?</p><p>To walk us through it, we’re joined by Matt Strasburg, manager of our Cloud Security Advisory practice. Matt has guided dozens of companies through complex public sector frameworks, and he’s here to break down the steps, timelines, and fast-track options that cloud providers should know about.</p>]]>
      </description>
      <content:encoded>
        <![CDATA[<p>Welcome to Part 3, the final episode of our <em>GovRAMP Mini-Series</em>. Over the last two episodes, we’ve covered what GovRAMP is and why companies are pursuing it.</p><p>Today, we’re closing things out by getting tactical—what does the GovRAMP process actually look like from start to finish?</p><p>To walk us through it, we’re joined by Matt Strasburg, manager of our Cloud Security Advisory practice. Matt has guided dozens of companies through complex public sector frameworks, and he’s here to break down the steps, timelines, and fast-track options that cloud providers should know about.</p>]]>
      </content:encoded>
      <pubDate>Wed, 28 May 2025 16:29:19 -0400</pubDate>
      <author>38North Security</author>
      <enclosure url="https://media.transistor.fm/1e776bb2/41ddf8ab.mp3" length="10458874" type="audio/mpeg"/>
      <itunes:author>38North Security</itunes:author>
      <itunes:image href="https://img.transistorcdn.com/vafT8lqLPcXIs1snjlEHoudPv44ApEBM-H49R9mESOg/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS9hM2Jh/OTZiMDAzODA2OTJl/M2NkNTQyOWY5YjI3/NmI2OS5wbmc.jpg"/>
      <itunes:duration>652</itunes:duration>
      <itunes:summary>
        <![CDATA[<p>Welcome to Part 3, the final episode of our <em>GovRAMP Mini-Series</em>. Over the last two episodes, we’ve covered what GovRAMP is and why companies are pursuing it.</p><p>Today, we’re closing things out by getting tactical—what does the GovRAMP process actually look like from start to finish?</p><p>To walk us through it, we’re joined by Matt Strasburg, manager of our Cloud Security Advisory practice. Matt has guided dozens of companies through complex public sector frameworks, and he’s here to break down the steps, timelines, and fast-track options that cloud providers should know about.</p>]]>
      </itunes:summary>
      <itunes:keywords>cybersecurity, FedRAMP, IRAP, CMMC</itunes:keywords>
      <itunes:explicit>No</itunes:explicit>
    </item>
    <item>
      <title>FedRAMP 20x Is Here: The Six Changes That Matter Most</title>
      <itunes:season>3</itunes:season>
      <podcast:season>3</podcast:season>
      <itunes:episode>1</itunes:episode>
      <podcast:episode>1</podcast:episode>
      <itunes:title>FedRAMP 20x Is Here: The Six Changes That Matter Most</itunes:title>
      <itunes:episodeType>full</itunes:episodeType>
      <guid isPermaLink="false">769b7f25-b034-4326-9e4e-432d95bd52c3</guid>
      <link>https://share.transistor.fm/s/e705dcae</link>
      <description>
        <![CDATA[<p>With FedRAMP's Consolidated Rules for 2026 being final, FedRAMP 20x is officially here. </p><p>That changes how cloud service providers enter FedRAMP, define scope, prove security, maintain certification, and work with federal agencies.</p><p>In this episode, Ingrid Velasquez-Woodley speaks with Sam Leestma, Vice President of Solutions Engineering, and Spence Witten, Principal Consultant at 38North Security, about the six parts of CR26 most likely to affect cloud providers and agencies.</p><p>Topics include:</p><p>* How the new certification classes differ from the Rev. 5 impact levels<br>* Whether Minimum Assessment Scope will actually reduce cost and complexity<br>* Why Key Security Indicators may provide better assurance than point-in-time evidence<br>* Whether the Security Decision Record could become the next oversized compliance document<br>* What VDR and VER require before the December 7, 2026 deadline<br>* Why existing Rev. 5 providers may struggle with vulnerability automation<br>* How ongoing certification differs from continuous validation<br>* Whether annual assessments should become less burdensome<br>* Why CR26 limits agencies from creating their own parallel FedRAMP requirements<br>* What the major CR26 transition dates mean for providers<br>* What CSPs considering 20x—and those already holding Rev. 5 certifications—should do now</p><p>The discussion also covers where FedRAMP got the model right, where the final rules still create uncertainty, and how implementation by agencies, assessors, and providers will determine whether CR26 actually reduces duplication and improves security visibility.</p><p>Important dates discussed:</p><p>June 24, 2026 — CR26 becomes final<br>July 4, 2026 — Optional early adoption begins<br>July 28, 2026 — FedRAMP Ready becomes a legacy designation<br>August 3, 2026 — Class A applications open<br>August 10, 2026 — Limited Rev. 5 Class B and C transition pathways open<br>August 31, 2026 — 20x Class B and C applications open<br>December 7, 2026 — VDR and VER become mandatory<br>January 1, 2027 — Broader mandatory CR26 adoption begins<br>June 11, 2027 — FedRAMP stops accepting new Rev. 5 certification applications</p><p>Explore more FedRAMP 20x insights from 38North Security: <br>https://38northsecurity.com/fedramp-20x/  </p><p>Explore 38North Security’s FedRAMP services:<br>https://38northsecurity.com/security-compliance/north-america/fedramp/</p><p>#FedRAMP #FedRAMP20x #cloudsecurity #cybersecurity #govtech  #38NorthSecurity #federal #cloudsecuritypodcast</p>]]>
      </description>
      <content:encoded>
        <![CDATA[<p>With FedRAMP's Consolidated Rules for 2026 being final, FedRAMP 20x is officially here. </p><p>That changes how cloud service providers enter FedRAMP, define scope, prove security, maintain certification, and work with federal agencies.</p><p>In this episode, Ingrid Velasquez-Woodley speaks with Sam Leestma, Vice President of Solutions Engineering, and Spence Witten, Principal Consultant at 38North Security, about the six parts of CR26 most likely to affect cloud providers and agencies.</p><p>Topics include:</p><p>* How the new certification classes differ from the Rev. 5 impact levels<br>* Whether Minimum Assessment Scope will actually reduce cost and complexity<br>* Why Key Security Indicators may provide better assurance than point-in-time evidence<br>* Whether the Security Decision Record could become the next oversized compliance document<br>* What VDR and VER require before the December 7, 2026 deadline<br>* Why existing Rev. 5 providers may struggle with vulnerability automation<br>* How ongoing certification differs from continuous validation<br>* Whether annual assessments should become less burdensome<br>* Why CR26 limits agencies from creating their own parallel FedRAMP requirements<br>* What the major CR26 transition dates mean for providers<br>* What CSPs considering 20x—and those already holding Rev. 5 certifications—should do now</p><p>The discussion also covers where FedRAMP got the model right, where the final rules still create uncertainty, and how implementation by agencies, assessors, and providers will determine whether CR26 actually reduces duplication and improves security visibility.</p><p>Important dates discussed:</p><p>June 24, 2026 — CR26 becomes final<br>July 4, 2026 — Optional early adoption begins<br>July 28, 2026 — FedRAMP Ready becomes a legacy designation<br>August 3, 2026 — Class A applications open<br>August 10, 2026 — Limited Rev. 5 Class B and C transition pathways open<br>August 31, 2026 — 20x Class B and C applications open<br>December 7, 2026 — VDR and VER become mandatory<br>January 1, 2027 — Broader mandatory CR26 adoption begins<br>June 11, 2027 — FedRAMP stops accepting new Rev. 5 certification applications</p><p>Explore more FedRAMP 20x insights from 38North Security: <br>https://38northsecurity.com/fedramp-20x/  </p><p>Explore 38North Security’s FedRAMP services:<br>https://38northsecurity.com/security-compliance/north-america/fedramp/</p><p>#FedRAMP #FedRAMP20x #cloudsecurity #cybersecurity #govtech  #38NorthSecurity #federal #cloudsecuritypodcast</p>]]>
      </content:encoded>
      <pubDate>Thu, 02 Jul 2026 12:10:03 -0400</pubDate>
      <author>38North Security</author>
      <enclosure url="https://media.transistor.fm/e705dcae/29c8f44d.mp3" length="134118" type="audio/mpeg"/>
      <itunes:author>38North Security</itunes:author>
      <itunes:duration>7</itunes:duration>
      <itunes:summary>
        <![CDATA[<p>With FedRAMP's Consolidated Rules for 2026 being final, FedRAMP 20x is officially here. </p><p>That changes how cloud service providers enter FedRAMP, define scope, prove security, maintain certification, and work with federal agencies.</p><p>In this episode, Ingrid Velasquez-Woodley speaks with Sam Leestma, Vice President of Solutions Engineering, and Spence Witten, Principal Consultant at 38North Security, about the six parts of CR26 most likely to affect cloud providers and agencies.</p><p>Topics include:</p><p>* How the new certification classes differ from the Rev. 5 impact levels<br>* Whether Minimum Assessment Scope will actually reduce cost and complexity<br>* Why Key Security Indicators may provide better assurance than point-in-time evidence<br>* Whether the Security Decision Record could become the next oversized compliance document<br>* What VDR and VER require before the December 7, 2026 deadline<br>* Why existing Rev. 5 providers may struggle with vulnerability automation<br>* How ongoing certification differs from continuous validation<br>* Whether annual assessments should become less burdensome<br>* Why CR26 limits agencies from creating their own parallel FedRAMP requirements<br>* What the major CR26 transition dates mean for providers<br>* What CSPs considering 20x—and those already holding Rev. 5 certifications—should do now</p><p>The discussion also covers where FedRAMP got the model right, where the final rules still create uncertainty, and how implementation by agencies, assessors, and providers will determine whether CR26 actually reduces duplication and improves security visibility.</p><p>Important dates discussed:</p><p>June 24, 2026 — CR26 becomes final<br>July 4, 2026 — Optional early adoption begins<br>July 28, 2026 — FedRAMP Ready becomes a legacy designation<br>August 3, 2026 — Class A applications open<br>August 10, 2026 — Limited Rev. 5 Class B and C transition pathways open<br>August 31, 2026 — 20x Class B and C applications open<br>December 7, 2026 — VDR and VER become mandatory<br>January 1, 2027 — Broader mandatory CR26 adoption begins<br>June 11, 2027 — FedRAMP stops accepting new Rev. 5 certification applications</p><p>Explore more FedRAMP 20x insights from 38North Security: <br>https://38northsecurity.com/fedramp-20x/  </p><p>Explore 38North Security’s FedRAMP services:<br>https://38northsecurity.com/security-compliance/north-america/fedramp/</p><p>#FedRAMP #FedRAMP20x #cloudsecurity #cybersecurity #govtech  #38NorthSecurity #federal #cloudsecuritypodcast</p>]]>
      </itunes:summary>
      <itunes:keywords>cybersecurity, FedRAMP, FedRAMP 20x</itunes:keywords>
      <itunes:explicit>No</itunes:explicit>
    </item>
  </channel>
</rss>
