Original broadcast 8/19/25
Presented by SAP NS2 & Carahsoft
The shift to cloud computing has transformed how government agencies operate, but it has also introduced a maze of frameworks, compliance requirements, and security considerations. Penny Klein, Chief Information Security Officer at SAP NS2, has seen this evolution firsthand — from the days when systems were housed on mainframes in the basement to today’s complex, interconnected cloud environments. Her message is clear: security frameworks must adapt, and industry must play an active role in shaping them.
Klein points to the increasing number of frameworks now influencing federal cybersecurity, including FedRAMP, the NIST Risk Management Framework (RMF), endpoint security standards, and insider threat protections. There’s also growing attention to the software bill of materials (SBOM) to track and validate the components in government systems. While these frameworks are valuable, she warns that too many overlapping requirements can pull focus away from actual security.
“When every agency has its own security control or multiple frameworks to choose from, it gets hard for both industry and government,” Klein explains. “The risk is spending too much time checking compliance boxes instead of securing systems.”
She notes that, over time, agencies have oscillated between merging frameworks under a single umbrella, such as FedRAMP, and diverging into separate processes. Ultimately, she believes some consolidation is inevitable to make the process more efficient.
Klein also stresses the importance of industry’s role in driving security innovation. Since technology companies are the ones developing the solutions, they have unique insight into what works — and what doesn’t — in the real world. She urges industry leaders to participate in policy discussions, provide feedback on proposed standards, and advocate for security measures that are both effective and practical.
From the government side, Klein says greater transparency would help industry prepare for and respond to new requirements. Early visibility into upcoming policies, pain points, and areas of concern would allow technology providers to address risks proactively. Trust between the public and private sectors is essential, she adds, for this collaboration to succeed.
If she were back in a government role, Klein says her top questions to industry would focus on security intent rather than just compliance. “Anybody can read a control in black and white,” she explains. “But how are you implementing it? How are you securing this now that you, not the government, are running the scans?”
Ultimately, Klein believes that cloud security frameworks must evolve in a way that keeps pace with technology while remaining grounded in practical, enforceable measures. That evolution will require continuous collaboration between agencies and industry — and a shared commitment to focusing on security outcomes rather than simply compliance checkmarks.
Key Takeaways:
-
Too many overlapping frameworks can create inefficiencies and distract from actual security.
-
Industry must play an active role in shaping security policies to ensure they are effective and practical.
-
Government transparency about future policies allows industry to prepare and address risks proactively.
Watch the full program at InnovationInGov.com
Please fill out the requested information below