GSA Announces Initiative to Revamp FedRAMP to Further Administration’s Priority of Promoting Government Efficiency

FedRAMP 20x aims to increase efficiency through automation and removal of hurdles to FedRAMP authorization.

On March 24, 2025, the General Services Administration (GSA) announced an initiative to overhaul the Federal Risk and Authorization Management Program (FedRAMP) to streamline the authorization process and automate security assessments. As part of the Trump administration’s focus on government efficiency, the initiative — “FedRAMP 20x” — proposes to “make automated authorization simpler, easier, and cheaper while continuously improving security.”

Initially established in 2011 by the Office of Management and Budget and codified in December 2022, FedRAMP is a government program that standardizes the approach to security assessments, authorizations, and continuous monitoring for cloud services offered to the federal government. Cloud service providers (CSPs) that sell or plan to sell FedRAMP-authorized cloud services to the federal government’s civilian agencies obtain FedRAMP authorization before doing so. Dozens of commercial providers currently offer 386 FedRAMP-authorized services on the FedRAMP marketplace.

FedRAMP requires CSPs to obtain a federal agency sponsor to obtain authorization, document compliance with hundreds of technical security controls, and continuously monitor the security of cloud products. FedRAMP 20x is still in the early stages of implementation but proposes to make several key changes to these aspects of the program:

• Removing agency sponsorship requirement. FedRAMP 20x will remove the requirement for CSPs to find a federal agency sponsor to guide them through the authorization process, which has long been the most common path to FedRAMP authorization.¹ CSPs will submit documentation and automated validation directly to FedRAMP, and agencies using the cloud service offering will authorize operation of the cloud service.
• Automated and streamlined authorization process. FedRAMP authorization currently requires that CSPs undergo a third-party assessment of their cloud service offering and complete a lengthy security authorization package documenting the CSP’s processes and procedures for satisfying hundreds of technical security controls. FedRAMP 20x will “automate as much of the process as possible . . . so that new cloud services can be approved in weeks instead of years.” FedRAMP 20x will feature a cloud-native, automated security assessment process that enables CSPs to continuously validate system security. Leaning heavily into automation, FedRAMP 20x aims to automate the validation of at least 80% of security controls, which will no longer require narrative explanations in security authorization packages. FedRAMP 20x also aims to leverage existing commercial security frameworks by limiting new required documentation to a few pages if CSPs provide existing security policies, change management policies, and other documentation. At least initially, authorization at the FedRAMP High level will remain a manual process.
• New technical control translations. FedRAMP 20x will transition from baseline security control checklists to “Key Security Indicators.” FedRAMP describes those Key Security Indicators as “straightforward, measurable and comparable translations of traditional controls,” designed to be validated through future automation.
• Review of new security authorization packages. Currently, CSPs submit their security authorization packages to a federal agency for review. The FedRAMP Program Management Office (PMO) then performs a second-level review of the security authorization package. To increase efficiency, the PMO will cease second-level reviews of security authorization packages after March 2025, and federal agencies will be responsible for reviewing packages and making their own risk assessments without the PMO’s input.
• Automated continuous monitoring. FedRAMP 20x will automate continuous monitoring for existing CSPs, who will “generate reports directly using their own automation systems against a simple standard, and then make those reports available to customers via normal channels.” Additionally, the PMO will halt centralized continuous monitoring of cloud service offerings approved by the JAB, which provided an alternate path to FedRAMP authorization. That responsibility will now fall on the authorizing federal agency.

FedRAMP 20x also leans heavily into collaboration with industry stakeholders to help design the standards and policies underlying the initiative. As an initial step, FedRAMP is launching four Community Working Groups by mid-April 2025 to provide the public an opportunity to collaborate with FedRAMP experts on key efforts related to FedRAMP 20x. While GSA has not provided a timeline to roll out FedRAMP 20x, the FedRAMP website explains that the changes will “be formalized on a rolling basis as the pilot is validated by the Community Working Groups.”

Contractors that provide or plan to provide cloud service offerings to the government should be mindful of changes to the FedRAMP authorization and continuous monitoring processes. They should also consider participating in the new Community Working Groups to collaborate directly with FedRAMP on rolling out FedRAMP 20x. It remains to be seen how FedRAMP 20x will work in practice, and whether the administration’s ongoing efforts to consolidate government procurements for common goods and services under GSA (for more information see this Latham blog post) will impact agencies’ purchasing of FedRAMP-authorized cloud products.

Latham will continue monitoring and providing updates on the rollout of FedRAMP 20x and related guidance.

1. Prior to August 2024, CSPs could also obtain authorization by going through the now-defunct Joint Authorization Board (JAB), which was composed of officials from the GSA and the Departments of Homeland Security and Defense. ↩︎