The rise of DOGE (Department of Government Efficiency) and the rollout of FedRAMP 20x are forcing a long-overdue conversation: How do we automate and modernize cybersecurity assessments for federal clouds—without drowning in paperwork or relying on outdated processes?
This isn’t a new conversation. It’s been echoing across government hallways since the days of GISRA, then FISMA. We’ve known for decades that our assessment processes are broken. We just didn’t have the political will—or perhaps the right technology—to fix it. Until now.
From Telnet to Zero Trust
I come from the early days of the DoD and Intelligence Community’s cyber programs—before “cybersecurity” was even a formal discipline. In the mid-1990s, I witnessed some of the first live Information Operations against U.S. systems by foreign adversaries. Back then, people thought the internet was a toy. We left telnet ports wide open so researchers and contractors could log into government networks from home—and then we were shocked when adversaries logged in too, often using the brilliant password of… “password.”
We knew it was wrong. We knew it was dangerous. But we didn’t have automation, we didn’t have scalable monitoring, and frankly, not enough people cared. That all changed post-9/11, when funding and attention surged—at least in the DoD and IC. But the civilian agencies? They were a decade behind.
When I moved into civilian federal cyber work, I was shocked. Instead of actual cybersecurity, we had compliance theater: interview-based questionnaires, narrative-heavy documentation, and security plans the size of War and Peace. No automation, no validation, no accountability.
“Just Run a Scanner and Write a Thousand Pages”
I was working at several civilian agencies, we implemented GISRA and FISMA assessments with little more than a vulnerability scanner and a checklist. The scanner would sometimes be right, sometimes wrong. Either way, we would generate lots of things to work on and were backed by the security of a thousand-page security plan—which no one read and no one used. Actually, I got good at getting CISOs and CIOs taking my word for it that the 1000 pages met the requirement – not that they were going to read it anyway… Meanwhile, Russia and China were logging in every night, ensuring that our passwords didn’t change. They didn’t like surprises.
Fast forward twenty years and we’ve made progress—but we’re still dragging around the same bloated processes. Our tools and people got better. We built Security Operations Centers that looked like Star Trek. We created hundreds of tools, some configured correctly, many not. We hired and trained people. We threw money at it. But the same fundamental flaw persisted: humans are too slow, too subjective, and too overloaded to secure dynamic, modern cloud systems. They are also the ones that don’t read or follow our 1000 page documents – I blame them.
DOGE, FedRAMP 20x, and the Return to Real Security
Now we have a chance to change that – note – I say this every time but someday I may be right. The FedRAMP 20x initiative, spearheaded by DOGE, is finally addressing the core issues:
- Automate the validation of 80%+ of security controls
- Stop writing narratives, and start validating systems via machine-readable outputs
- Inherit proven commercial controls, not reinvent them
- Continuously monitor, not re-certify once a year
- Empower providers and agencies to work together in real time
In short, FedRAMP 20x is a move away from paper-based assessments toward real-time, automated cyber enforcement. This is exactly what we needed in the 1990s—and it’s finally possible with today’s technology.
What Needs to Happen Next
To truly succeed, this shift must:
- Kill the paperwork. Replace narrative control documentation with machine-readable, real-time checks.
- Embrace Zero Trust. Every AI agent, API, or cloud module should be validated continuously—not once a year.
- Leverage AI & automation. Humans can’t track 10,000 alerts per hour. But automated systems can.
- Enable secure innovation. We need to modernize the government’s 1970s tech stack—without choking it with compliance.
- Focus on outcomes, not forms. Security isn’t a checklist; it’s a constant, dynamic process.
The Bottom Line
We’ve known the problem for decades. We’ve lived it—from open telnet sessions to 1000-page assessments that no one reads. What DOGE and FedRAMP 20x are proposing isn’t just smart policy—it’s decades overdue. If we can get this right, we’ll finally move beyond compliance theater and into the era of real security, privacy, and operational resilience. I hope all the “Non Profits” that enforce security and privacy standards are reading this an adopting a similar roadmap.
Let’s just hope we don’t write 1000 pages about it – I tried my best not to write over two for this subject.
About the Author
Waylon Krush is the CEO of ZeroTrusted.AI, former CEO of Lunarline, and a U.S. Army veteran with over 25 years of experience in cybersecurity across DoD, the Intelligence Community, and federal civilian agencies.
Comments