Introducing FedRAMP 20x

Posted on by

The Federal Risk and Authorization Management Program (FedRAMP), designed to ensure services offered by cloud providers meet certain cybersecurity requirements before government agencies can use them, is getting an update. FedRAMP 20x is focused on introducing automation to increase the pace of authorizations, a longstanding issue with the program.

A key change is moving from manual compliance checklists to automated security validations. The stated goal is having automated validation for over 80% of the program's security requirements, as opposed to the written explanations currently required. Currently, FedRAMP packages contain hundreds or even thousands of pages of text, screenshots, and logs, which are expensive to produce and keep current, and provide little ongoing value to the government or the vendor. This updated effort is delivering on language in the 2023 FedRAMP authorization bill as well as the revamped guidance issued in the summer of 2024 that focused on introducing automation.

This automation will also address recent cuts to FedRAMP staff. The program eliminated nearly all contractor positions (around 80 in total). To make up for the cuts in contractors, the General Services Administration (GSA) has been growing the government staff over the past year with a group of 18 employees managing the program today.

Additional changes in FedRAMP 20x include:

  • Gradual elimination of agency sponsorship. Effective immediately, Federal agency sponsors will no longer be required for "simple, low-impact service offerings." The program will continue to support agency authorizations for higher-impact projects until new processes are finalized.
  • Increased collaboration with industry through working groups. The Automation Community Working Group will work on creating key security indicators (KSIs) that could help in the automation of security evaluations. The Applying Existing Frameworks Working Group is exploring existing commercial standards to determine if any would be applicable to Federal security requirements, ensuring FedRAMP relies on existing best practices. The Continuous Reporting Community Working Group is looking into how to leverage automation to ensure that ongoing risk monitoring is enforced, validated, and reported.
  • FedRAMP will use KSIs to move away from the "baseline checklist" approach to better align government compliance and modern security best practices. For example, encryption could be measured by a compliance tool, built into code, or ensured through services that actively override non-encrypted communications, rather than relying on static spreadsheets to document compliance with encryption standards.

GSA has developed an engagement kit to help industry understand immediate changes and the ongoing vision.

To stay up to date with FedRAMP changes and cloud use in government, check out these resources from GovEvents and GovWhitePapers.

  • 2025 FedRAMP Updates (May 14, 2025; webcast) - This event will showcase how commercial ISVs as well as Federal Agencies can take actionable steps to meet new and emerging Federal cybersecurity mandates, including assessing AI systems risk.
  • Resiliency and Business Continuity in the Cloud Era (May 22, 2025; webcast) - With a growing movement toward cloud-based user access, zero trust, identity services hosted in the cloud, and more, it's time to look at backup plans and overall continuity strategies to ensure robust cloud resilience models are in place.
  • How GSA Can Help Your Cloud/Software Small Business Get on Schedule (July 15, 2025; webcast) - Cloud computing and software acquisition are major topics for government agencies. This event gives small businesses the chance to learn how to become Best-in-Class vendors to support various agency needs.
  • Cloud Security: First Principles and Future Opportunities (eBook) - This comprehensive guide to securing cloud environments includes insights from SANS experts and major cloud providers (AWS, Google, Microsoft). This edition covers fundamental security principles, architectural best practices, and modern security challenges, including identity modernization, AI security risks, and cloud governance.
  • A Year in the Clouds: Reviewing Government Cloud Policy and Use (white paper) - Cloud computing has become a cornerstone of government modernization, transforming how services are delivered to citizens. Over the past year, programs like FedRAMP have expanded to streamline cloud adoption and enhance security across federal agencies. These advancements are not just technological-- they also reshape the relationship between governments and their citizens.
  • Cloud Security Playbook Overview (white paper) - As organizations increasingly rely on cloud services, securing these environments has never been more critical. The Cloud Security Playbook highlights the shared responsibility between Cloud Service Providers and Mission Owners, emphasizing the importance of encryption, identity management, and proactive threat detection.

For more information on cloud in government, search for additional events and resources on GovEvents and GovWhitePapers.

This entry was posted in Event News Articles by Kerry Rea President of GovEvents. Bookmark the permalink.

About Kerry Rea President of GovEvents

Twitter: @Kerry_Rea | LinkedIn: www.linkedin.com/in/kerryrea/ I am a business and marketing professional with an extensive background in company start-ups. I have 20+ years direct experience in the information technology, government, franchise, and construction industries. Having a passion for business, I love brainstorming, collaborating and strategizing on the best ways to achieve our clients' and partners' business objectives.

Comments are closed temporarily due to excessive Spam.