On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.
The primary goals of the FedRAMP 20x initiative include:
- Seeking to implement the use of automated validation for 80% of FedRAMP requirements, which would leave about 20% of narrative as opposed to the current 100% narrative explanations required in the document submission package.
- Leaning on industry partners to provide continuous simple standardized machine-readable validation of continuous monitoring decisions.
- Fostering trust between industry and federal agencies to promote direct relationships between cloud service providers and customers. Note, this appears to indicate that the FedRAMP Program Management Office (“PMO”) will have a much smaller role moving forward with respect to the authorization process and assessments.
- Replacing annual assessments with simple automated checks.
- Replacing the significant change process with an approved business process that will not require additional oversight to be developed in collaboration with industry.
FedRAMP 20x is an initiative that will be implemented in phases. The timeline for Phase 1 has not been announced but, once it is open, Phase 1 seeks to streamline the authorization process for eligible participants and authorized cloud service offerings in weeks rather than months. Phase 1 will focus on Software-as-a-Service offerings with the following characteristics:
- Deployed on an existing FedRAMP Authorized cloud service offering using entirely or primarily cloud-native services;
- Minimal or no third party cloud interconnections with all services handling federal information FedRAMP Authorized;
- Service is provided only via the web (browser and/or APIs);
- Offering supports a few standard customer configured features needed by federal agencies (or the cloud provider willing to build that capability quickly); and
- Existing adoption of commercial security frameworks are a plus (SOC 2, ISO 27000, CIS Controls, HITRUST, etc.).
The practical implications of Phase 1 appear to be positive. Cloud service providers will be able to submit fewer pages for authorization submissions (i.e., less narrative, and more standard configuration choices for documentation). The documentation required for Phase 1 includes (1) documentation of security controls implemented by the cloud service provider and (2) materials demonstrating the cloud service provider’s existing commercial security framework to the extent it overlaps with FedRAMP requirements (e.g., a Security & Privacy Policy). There will be an automated validation component for Phase 1 authorizations, which may involve making configuration changes as needed to meet certain security controls. Following the assessment process, the cloud service offering will receive a score related to Confidentiality, Integrity, and Availability of federal information, and federal agencies will review this information to make risk assessments prior to adoption. Lastly, there will be changes to continuous monitoring with the replacement of annual assessments with simple automated checks and a new significant change process that will not require additional oversight.
Overall, with less documentation and narrative explanation, a more automated process with quicker authorization timelines, and less burdensome continuous monitoring activities due to enhancements through automation, the goal of FedRAMP 20x changes is to establish more efficient authorization and continuous monitoring processes. This should make it easier for cloud providers to sell their offerings to the government. Industry participation is a major focus of the new initiative. There are community engagement groups planning to begin meeting immediately and there will be opportunities for public comment as new ideas and documentation are rolled out. The community group meetings are focused on four topics: (1) Rev 5 Continuous Monitoring, (2) Automating Assessments, (3) Applying Existing Frameworks, and (4) Continuous Reporting. For those in this space, it will be important to participate to ensure industry partners are involved in shaping the program. The schedule for the meetings can be found here.
FOOTNOTES
[1] The FedRAMP Rev. 5 baseline aligns with National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5.