On Monday, March 24, 2025, the General Services Administration (GSA) launched FedRAMP 20x, as an effort to automate parts of the program and create collaboration with the industry to improve authorization process for cloud providers looking to work with the federal government.
First launched in 2011, the Federal Risk and Authorization Management Program (FedRAMP) is a federal program that provides a standardized approach to authorizations, security assessments, and continuous monitoring of cloud services and products. The program deploys “do once, use many” times approach to cloud products, to promote reuse of cloud products with existing authorizations by federal agencies without needing to meet additional cybersecurity requirements. The program plays a crucial role in adoption of cloud solutions across the federal government, because federal agencies “must obtain and maintain a FedRAMP authorization” for cloud products and services that “create, collect, process, store, or maintain” federal information on behalf of an agency.
As a result, cloud providers seeking to do business had no choice but to go through FedRAMP authorization process. Unfortunately, our experience shows that many companies in space in the past chose to avoid federal contracting, because the authorizations are notoriously difficult to achieve and costly, most times taking millions of dollars and years to complete.
What changed?
FedRAMP 20x is a new initiative launched by the FedRAMP designed to create a new framework for authorization and assessment of cloud services for the federal government. The initiative represents a potential gamechanger in the government’s approach to the cloud. The goal of FedRAMP 20x is to develop a new cloud-native authorization approach. FedRAMP 20x is an initiative to creating working groups in collaboration with the industry to come up with innovative solutions to simplify authorization and reduce the expenditure of resources needed to approve cloud product or service. The emphasis of the initiative is on adding more automation to applications, validation, monitoring, and enforcement that would simplify the process for cloud providers to meet minimum security requirements for federal information systems.
On March 4, FedRAMP Director Pete Waterman announced that the program will focus on clearing agency authorization backlog by the end of April, while the working groups will help to shape other paths to FedRAMP authorization. These four working groups, which launch within the month, are open to industry to join:
What remained?
At least for now, the program will remain unchanged, including processes and procedures for FedRAMP authorization, until further notice. All companies and sponsoring agencies in the process of FedRAMP rev. 5 authorization should continue the process, with FedRAMP Program Management Office (PMO) continuing Rev. 5 agency authorization “on demand,” after resolution of the backlog. More generally, the principles of the program will remain the same, with changes taking place in implementation of the program.
Looking into the future
We anticipate more changes to the FedRAMP program in the near future with FedRAMP 20x just one of many new approaches for this critical authorization program. Fortunately, we see FedRAMP 20x as a sign of general movement to improve the program. It also reflects some of the efforts to modernize FedRAMP per the most recent Office of Management and Budget memo. Perhaps this event will kickstart a broader change across the program and lead to more permanent changes to the program, while keeping private industry’s abilities and interests in mind.
More specifically, the initiative will serve to:
-
Simplify application and validation of FedRAMP through automated validation of the requirements, encapsulating 80% of the security requirements, instead of requiring narrative explanations of technical controls.
-
Push for the program to create automation methods in assessment and continuous monitoring stages.
-
Create a method to apply existing security frameworks from the industry directly to FedRAMP without creating a separate process.
-
Eliminate of the agency sponsorship to achieve FedRAMP authorization will become the new norm, with cloud service providers being able to submit documentation directly to FedRAMP.
The technical guidance will go through “public comment” before becoming official. Also, it is important to keep in mind that the program significantly cut its workforce, emphasizing importance of the industry and automation in the federal cloud space.
Cozen O’Connor’s Government Contracts attorneys are following changes in this area closely and are available to assist with any questions or issues that may arise.