FedRAMP 20x – What’s on the Horizon?

Key Updates from the FedRAMP 20x Initiative:

1. Introduction of FedRAMP 20x – The General Services Administration (GSA) has unveiled “FedRAMP 20x,” a strategic initiative to modernize the authorization process. This approach emphasizes automation, reducing paperwork, and fostering more direct collaboration between cloud service providers (CSPs) and federal agencies. The goal is a reduction in authorization paperwork and timelines, while accelerating adoption of more cloud service offerings into the hands of the government. Automation efficiency will be a key focus area in the new program.
   
   
2. Existing FedRAMP Authorizations – FedRAMP Rev 5 Authorizations (e.g., the previous way of pursuing FedRAMP) is the only path to authorization at this time. Everything proposed in FedRAMP 20x is still a work in progress.
   • If you’re already authorized, you should continue with your ongoing continuous monitoring requirements, including conducting monthly submissions (this process is changing – see below), significant change assessments, and annual assessments.
   • If you have an agency sponsor, you should continue with your plans to obtain an authorization using the existing process, as the new, proposed process will take some time to be finalized.
   • If you do not have an agency sponsor but need to pursue FedRAMP in the short-term, FedRAMP readiness assessments are still a path to get posted on the Marketplace.
   • As FedRAMP 20x progresses, the need for a sponsor may go away.
     
     
3. FedRAMP PMO Review Backlog – As the FedRAMP program transitions from its traditional Program Management Office (PMO) review to FedRAMP 20x, it communicated that the PMO backlog should be cleared out in the next 30-45 days. This is good news for all the CSP’s pending final PMO review after agency ATO issuance.
   
   
4. Enhanced Role of CSPs and Agencies – The FedRAMP PMO will reduce its direct reviews of Readiness Assessment Reports (RARs) and Security Assessment Reports (SARs), enabling a more streamlined process where 3PAO results and Agency Authority to Operate (ATO) memos are trusted to allow authorized statuses to be posted within 2-4 weeks after an agency issues an ATO.
   
   
5. Continuous Monitoring (ConMon) Adjustments – The responsibility for continuous monitoring is shifting directly to CSPs. While federal agencies will still expect monthly ConMon deliverables, the FedRAMP PMO will no longer review these submissions. CSPs are now tasked with providing summary and trend data directly to federal agencies, ensuring ongoing compliance and security posture maintenance.
   
   
6. Formation of Community Working Groups: To foster collaboration and gather industry insights, four working groups are being established. These groups, comprising representatives from CSPs and 3PAOs, will advise on potential changes to the program. The working groups include:

   

   • Industry is encouraged to join and actively shape the FedRAMP 20x efforts. No need to sign up – anyone can join – https://www.fedramp.gov/20x/working-groups/
     
     How will this be phased out – Much of the proposed changes will be proxied via the Working Groups outlined above. As the ideas develop, they will then send through a formal request process (public comment) before implementation. As policy updates roll out, conceptually they are expected to follow the following cloud service offering (CSO) models below:
     
     

     

     Alignment with other governance frameworks such as DoD Cloud Computing SRG (DISA), StateRAMP/dba GovRAMP (CISecurity) and CMMC (Cyber AB) – It’s important to note that these changes are specific to the FedRAMP program only. Continue to check with your agency sponsors (buyers) to understand their risk process as this evolves. At this time, StateRAMP has been the only governing body addressing the collaboration with FedRAMP 20x publicly.