When Mary Schafer joined Abnormal two years ago, FedRAMP was just a concept on a whiteboard. No program, no infrastructure, no playbook. What followed was a two-year sprint to build a fully operational federal security program from scratch — one that now supports over 50 public sector customers and stands up to some of the most rigorous security standards in the world. Mary didn't just manage the compliance. She redesigned what compliance could look like inside a company built to move fast.

From Auditor to Builder

Before Abnormal, Mary spent her career as a cybersecurity auditor and consultant — and served as an Army Reservist. She was good at the work, but something was missing.

"I spent a lot of time advising others on what needed to change in their environments, but I wasn't building the solution or living with the outcome."

That gap is what drew her to Abnormal. The chance to own something end-to-end — from requirements to delivery to customer success — was exactly what she'd been looking for. Two years later, she's lived every stage of it.

Startup Speed, Federal Standards

Building a FedRAMP program inside a fast-moving startup meant solving a tension most compliance frameworks don't account for: how do you meet one of the highest security standards in the world without slowing down a company that ships constantly?

Mary's answer was to treat compliance as a systems design problem, not a governance exercise. When evidence collection was creating friction across engineering, IT, and security teams, she didn't add more process. She rebuilt the process.

"When we got started, my priority was to strip away the jargon. I focused on distilling every security control into a concrete action or a repeatable process."

She assigned a single directly responsible individual to every requirement, established a single source of truth for data, and automated evidence collection wherever possible. For the tasks that still needed a human touch, she built small, date-tied milestones that fit into existing workflows rather than disrupting them.

Making Risk Real

Getting engineering teams to genuinely engage with compliance requirements, rather than just tolerate them, is one of the hardest parts of the job. Mary's approach is to connect every requirement to the actual risk behind it.

One example came up when her team was evaluating whether a new AI tool could be used inside Abnormal's federal environment. On paper, the requirement looked administrative. But once the team understood that using an unauthorized tool risked processing federal data outside the approved boundary — creating real security and audit exposure — the conversation shifted.

"It was no longer about getting an exception. It became about keeping data inside the boundary or choosing an authorized alternative."

That reframe led to a stronger, more defensible change management process. It's the same principle Mary applies across the program: anchor every requirement in risk and customer impact, and teams stop seeing compliance as a blocker.

The Day It All Became Real

For all the systems built and milestones cleared, there's one moment Mary comes back to.

The day Abnormal onboarded its first FedRAMP customer, after months of preparation across engineering, security, legal, and IT, she watched the app screen light up and the integration sync seamlessly. The team exhaled together.

"Seeing the genuine pride on the faces of my teammates — some of whom had never navigated federal requirements before — was incredibly moving. It wasn't just proving out the product. It was about realizing that we could achieve something together by stretching our capabilities."

The feeling she describes — the "it actually works" moment — is what Mary says she'll carry with her for a long time. It's also what the program was always about. Not a checkbox. A proof point that public sector organizations can trust Abnormal with their most sensitive environments.

What's Next

Mary isn't finished building. Over the next year, her focus is on evolving the program to meet FedRAMP high security controls — a significant uplift that demands even more rigorous implementation. She's working toward a state where audits are near-instant, evidence collection is largely automated, and the federal program becomes a primary enabler of new customer opportunities.

"I want to provide federal customers with such high fidelity transparency that our program becomes a primary enabler of opportunity. We're not just meeting constraints — we're clearing the path for the government to innovate securely at the highest impact levels."

That ambition is what makes Abnormal the right place for her right now. The caliber of people, the shared ownership, the willingness to do hard things in service of a mission that matters.

"There's a deep sense of humility and shared ownership here. I get to scale these high-stakes solutions alongside brilliant people who are just as committed to the mission as I am. There is really nothing more rewarding than that."

Want to build something that matters for the missions that matter most? Check out our open roles and join us.