FedRAMP 20x Initiative Promises Major Changes for Federal Cloud Service Providers

GSA's new initiative could significantly streamline FedRAMP authorizations and reduce agency and third-party oversight—but many questions remain

Major changes are coming again to the Federal Risk and Authorization Management Program ("FedRAMP"), the federal government's cybersecurity authorization program for cloud service providers ("CSPs").

On March 24, 2025, the General Services Administration announced the "FedRAMP 20x" initiative to dramatically streamline FedRAMP's security assessment, authorization, and compliance monitoring processes. The FedRAMP 20x initiative aims to automate validation of CSPs' compliance with FedRAMP requirements, permit CSPs to leverage commercial security frameworks to achieve authorizations, and reduce agency and third-party oversight of cloud services. FedRAMP says these "cloud-native" improvements will shrink the timeline for CSPs to achieve FedRAMP authorization to "weeks, instead of months and years."

Notably, FedRAMP intends to simplify requirements for CSPs to make a "significant change" to their cloud services. Currently, a cloud service must undergo a third-party security assessment and obtain FedRAMP approval before a "significant change" to the service is made, and this approval process can be complex and lengthy. As a result, the federal government sometimes receives new functionality well after it is made available to the private sector. Under FedRAMP 20x, "[s]ignificant changes that follow an approved established business process won't require additional oversight." FedRAMP also intends to avoid "ghost regulations." A common complaint of CSPs is that FedRAMP may enforce significant requirements as a matter of common practice or understanding, without documenting those requirements in formal guidance.

FedRAMP has launched a series of recurring town halls in the form of four Community Working Groups to assess and drive program changes. The FedRAMP 20x initiative is in its very early stages and publicly available details currently are thin. Cloud service providers to federal agencies should monitor the initiative's progress and take note of significant changes to FedRAMP.

Background on FedRAMP

Established in 2011 by an Office of Management and Budget ("OMB") policy memorandum, FedRAMP is intended to provide federal agencies with a standardized approach for assessing the security of cloud services and authorizing their use by federal agencies. FedRAMP historically maintained two primary authorization paths. CSPs either could obtain an "authority to operate" ("ATO") from a sponsoring federal agency or a provisional ATO ("P-ATO") from the Joint Authorization Board ("JAB"), FedRAMP's governing body. Federal agencies then could leverage a cloud services' existing ATO or P-ATO to authorize that service for their own use, rather than having to conduct another authorization process of their own.

The GSA has estimated that FedRAMP has saved hundreds of millions of dollars by streamlining the authorization process. Nevertheless, FedRAMP has faced significant criticism throughout its existence, including that its authorization process is excessively expensive and painfully slow. A 2019 study by the Government Accountability Office found that many federal agencies were using cloud services that had not been FedRAMP authorized and that agencies frequently were forcing FedRAMP-authorized cloud services to undergo additional burdensome authorization processes.

Congress codified FedRAMP in December 2022 when it enacted the FedRAMP Authorization Act as part of the 2023 National Defense Authorization Act. The FedRAMP Authorization Act sought to address many complaints about the program, including by directing efforts to make the authorization process faster and more automated. The act also overhauled FedRAMP's governance structure, replacing the JAB with a FedRAMP Board, granting the FedRAMP Program Management Office ("PMO") additional authorities, and creating a Federal Security Cloud Advisory Committee (we analyzed the FedRAMP Authorization Act in a prior post). GSA announced appointment of the FedRAMP Board and dissolution of the JAB in May 2024.

Strategic Goals of FedRAMP 20x

FedRAMP has announced five strategic goals for the FedRAMP 20x initiative:

1. Simplification Through Automation: The initiative seeks to automate validation of at least 80% of FedRAMP's security requirements, reducing the need for manual documentation and narrative explanations. These automated validation reports will be made available directly to federal agencies. Currently, CSPs must provide manual documentation and explanations of all controls to demonstrate their compliance. Through this simplified validation process, CSPs may no longer need to partner with a "sponsor" agency to achieve FedRAMP authorization. Instead, CSPs will be able to pursue a simplified authorization process through FedRAMP, making their services available for use by any federal agency through the FedRAMP marketplace.
2. Leveraging Existing Commercial Security Frameworks: Under FedRAMP 20x, CSPs will be able to leverage existing "best-in-class" commercial security frameworks to demonstrate their compliance with FedRAMP. This will allow CSPs to provide their existing security policies, change management policies, and other documentation as evidence of compliance—rather than requiring agencies and CSPs to create new documentation. According to FedRAMP, this work may result in a streamlined authorization pathway that uses commercial security approaches, rather than government-specific ones.
3. Hands-Off Approach to Continuous Monitoring: The initiative aims to standardize, simplify, and automate assessment and monitoring processes. FedRAMP intends to reduce the need for agency and third-party oversight of CSPs' compliance in favor of ongoing, automated oversight. According to at least one GSA official, third-party assessments will not go away but third-party engagements will be much smaller once much of the validation process is automated.
4. Building Trust Through Collaboration: FedRAMP 20x intends to increase direct interaction between CSPs and the agencies that use their services, and to decrease the involvement of FedRAMP.
5. Enabling Rapid Improvements: The initiative intends to implement continuous enforcement systems that will replace annual FedRAMP compliance assessments with "simple automated checks." Notably, CSPs will no longer need to obtain FedRAMP approval of "significant changes" to the services if they follow approved change management processes.

Impact on Current FedRAMP Processes

FedRAMP has not articulated specific timelines for implementing FedRAMP 20x. Even so, CSPs may already see significant changes to FedRAMP processes and the FedRAMP PMO. The PMO recently shrunk its workforce by terminating multiple contractor relationships and now purports to be "a much smaller team with all efforts focused on maximizing efficiency." According to FedRAMP, the PMO has ceased "nearly all other previously discussed work." The GSA's Technology Transformation Service (TTS), of which the PMO is a part, also recently announced significant layoffs.

Other immediate changes to FedRAMP include:

• Phase One Rollout: FedRAMP has announced "Phase One" of FedRAMP 20x, focused on launching a simplified, cloud-native, continuous security assessment process for certain software-as-a-service ("SaaS") applications. Eligible SaaS products include those that already have FedRAMP authorizations. Adoption of existing security frameworks such as SOC 2 or ISO 27000 are considered "a plus."
• Ongoing Authorizations Supported (For Now): There currently is only one FedRAMP authorization path available to CSPs: achieving an agency-issued ATO based on NIST Special Publication (SP) 800-53 rev. 5. FedRAMP says that it will continue to accept these authorizations while it works to develop new streamlined processes. Eventually, a formal end-of-life timeline for these existing authorizations will be established, and presumably CSPs will be required to move to the new authorization process. FedRAMP advises that CSPs currently pursuing or planning to pursue the existing authorization path "evaluate the progress of FedRAMP's efficiency improvement initiatives to make their own informed decisions" about whether to pursue the existing path or wait for the improvements to be rolled out.
• Limited FedRAMP Review of Rev. 5 Authorizations: FedRAMP says that it has stopped performing "triple check" reviews of agency-issued ATOs as of March 2025. Agencies now are expected to review their own authorizations in depth, and FedRAMP's review will be focused on confirming that the authorization is complete—not whether the authorization is proper. FedRAMP has described this change as a return to FedRAMP's statutory authority. FedRAMP is charged with creating a standardized approach to federal cloud security, but determining whether a cloud service is appropriate for agency use is the responsibility of each agency under the Federal Information Security Modernization Act ("FISMA").

• Sunset of Technical Assistance: The FedRAMP PMO has ceased providing updated technical assistance or guidance for implementing FedRAMP's existing security requirements as of March 2025. Agencies now are responsible for conducting in-depth reviews and making their own risk assessments without PMO input.
• Continuous Monitoring by Agencies: FedRAMP previously managed continuous compliance monitoring of CSPs that had received a P-ATO through (now dissolved) JAB. As of March 2025, FedRAMP has ceased this centralized monitoring, which is now the responsibility of each agency. It is unclear whether this change will result in significant overlap of agencies' monitoring activities for CSPs that are used by many agencies. A Community Working Group will focus on updating continuous monitoring processes.

Next Steps: Community Working Groups

FedRAMP has launched four Community Working Groups to develop standards and guidance for FedRAMP 20x: Rev5 Continuous Monitoring, Automating Assessments, Applying Existing Frameworks, and Continuous Reporting. These groups, which are open to the public, have begun meeting on a biweekly basis and will be facilitated by the PMO. According to FedRAMP, each piece of guidance developed through these working groups will undergo formal public comment before being officially incorporated into program rules.

Conclusion

The FedRAMP 20x initiative promises many improvements to FedRAMP that will be welcome to CSPs, including simplified and automated authorizations, lighter touch continuous monitoring, and streamlined procedures for introducing "significant changes" to their cloud services. But specifics on these developments are light at this early stage.

[View source.]