FedRAMP 20x Unveiled

The Federal Risk and Authorization Management Program (FedRAMP) is the authoritative standard for cloud computing products and services that process unclassified federal information. FedRAMP announced the launch of FedRAMP 20x, an initiative focused on making automated authorization easier and cheaper. FedRAMP claims these changes will reduce the average time for cloud service providers (CSPs) to obtain FedRAMP authorization from years to weeks through automation and modular compliance while increasing the overall security posture of federal cloud solutions through applied security.

FedRAMP 20x Goals

FedRAMP 20x lays out the following five goals for a revised assessment process:

Make it simple to automate the application and validation of FedRAMP security requirements

The goal is for more than 80% of requirements to have automated validation without the need to write a single word about how it works, compared to 100% of current controls requiring narrative explanations.

Leverage existing industry investments in security by inheriting best-in-class commercial security frameworks

New documentation required for FedRAMP will be reduced to a few pages if companies provide existing security policies, change management policies, and other documentation. Optional templates that are customizable will be available for remaining requirements with the approval of FedRAMP. Tools will be provided to document complex technical systems by code, not narrative, that meet FedRAMP standards.

Continuously monitor security decisions using a simple, hands-off approach

Industry partners will provide continuous and simple standardized machine-readable validation. Automated enforcement and secure-by-design principles will be leveraged to prevent mistakes.

Build trust between industry and federal agencies by leaning into the direct business relationships between providers and customers

Cloud service providers and agencies will interact directly over established business channels to review and maintain security.

Enable rapid, continuous innovation without artificial checkpoints that halt progress

Enforcement systems will be implemented to ensure security is constantly in place. Annual assessments will be replaced by simple automated checks. Significant changes that follow an approved business process won’t require additional oversight.

FedRAMP 20x Phase 1

When Phase 1 is ready to launch, software-as-a-service offerings will be eligible if they meet the following requirements:

• Deployed on an existing FedRAMP Authorized cloud service offering using entirely or primarily cloud-native services
• Minimal or no third-party cloud interconnections; all services handling federal information must be FedRAMP Authorized
• Service is provided only via the web (browser and/or APIs)
• Offering supports a few standard customer-configured features needed by federal agencies (or you’re willing to build that capability quickly)
• Existing adoption of security frameworks such as SOC 2, ISO 27001, CIS Controls, HITRUST, etc. is a plus

How Does FedRAMP 20x Impact Providers Currently Working on Authorization?

Cloud Service Providers (CSPs) and federal agencies can continue working together to perform “sponsored” FedRAMP Agency Authorizations against traditional FedRAMP Rev5 baselines. FedRAMP will accept these authorizations until a formal end-of-life timeline is announced, meaning:

• The FedRAMP PMO and Board will not provide updated technical assistance or guidance for implementation of the Rev5 baselines after March 2025.
• The FedRAMP PMO will stop performing in-depth “triple check” reviews of FedRAMP Rev5 packages after March 2025. Agencies will be expected to review the package in depth and make their own risk assessment without the opinion of the PMO.
• The FedRAMP PMO will halt the limited centralized continuous monitoring of former JAB-authorized FedRAMP Rev5 cloud service offerings after March 2025 and authorizing agencies will be responsible for monitoring. A Community Working Group will coordinate with industry to update this process.

What is the Impact on FedRAMP Authorized Cloud Service Offerings?

All currently authorized cloud service offerings (CSOs) will be designated as FedRAMP Rev. 4 or Rev. 5 Authorized until they update to a newer 2025 or higher baseline.

Get Engaged

There are four initial Community Working Groups to provide the public with an opportunity to engage directly with FedRAMP advocates and others working on shared goals. Each group will create solutions that meet FedRAMP standards and policies. The four groups are:

• Rev 5 Continuous Monitoring
• Automating Assessments
• Applying Existing Frameworks
• Continuous Reporting

Dates and times for Community Working Group kickoff meetings and registration info can be found here. If you are unable to join a Community Working Group, there will be an opportunity to share your feedback on any draft guidance during the formal public comment period.

Resources

The following resources are available to help you learn more about FedRAMP 20x:

• FedRAMP 20x One Pager
• FedRAMP 20x Industry Engagement Kit
• Frequently Asked Questions

CompliancePoint has a team of experienced cybersecurity professionals who can guide your organization through designing and implementing cloud security controls that meet FedRAMP requirements. Contact us at connect@compliancepoint.com to learn more about our services.