Skip to main content

Blog

FedRAMP 20x - One Month In and Moving Fast

April 24 | 2025

FedRAMP 20x - One Month In and Moving Fast

Exactly one month ago today GSA announced FedRAMP 20x, an initiative to rapidly modernize FedRAMP in continuous collaboration with industry stakeholders and federal agency experts. The concept emphasizes security over compliance and encourages private innovation to provide the solution.

There is a mountain of effort behind the scenes to keep a program like FedRAMP moving forward. We can’t share pre-decisional information or too much detail about administrative procedures, but transparency into our internal activities and operating environment demonstrates our commitment to the goals of FedRAMP 20x and provides insight into how collaboration drives us forward.

Here is a high-level overview of what the FedRAMP team has been up to this month and what we’ll be focusing on next!

Delivering Authorizations

Our review team keeps working through final reviews of third-party assessment organization recommended and agency authorized FedRAMP packages to get secure services into the FedRAMP Marketplace:

  • Authorized 29 new cloud services (73 total this year), surpassing 400 authorized products
  • Granted seven new cloud services FedRAMP Ready designations (40 total this year), maintaining a clear queue for readiness assessment reports (RARs)
  • Recognized two new third party assessment organizations
  • Listed five new In Process cloud services for Rev 5 Agency Authorizations
  • Received seven Rev 5 Agency Authorization packages for final review
  • Cleared our review queue down to 25 packages with eight ready for authorization, the smallest it has been since July of 2022

Community Engagement

We are constantly supporting our stakeholders and community:

  • Responded to 1,265 messages sent to info@fedramp.gov, including 833 access requests and 208 general questions about FedRAMP
  • Discussed FedRAMP 20x with over a thousand people at sessions hosted by industry trade groups including the Alliance for Digital Innovation, Cloud Service Providers - Advisory Board, and Business Software Alliance
  • Launched community working groups, hosted eight public meetings with well over a thousand unique attendees, and participated in 100+ active discussions in the working group discussion forums
  • Discussed FedRAMP’s progress and goals with minority and majority Congressional committee staff from the House Committee on Oversight and Government Reform and the Senate Committee on Homeland Security & Governmental Affairs
  • Met with executives and security leaders at DOD, DISA, CISA, VA, HHS, and OMB to discuss changes to FedRAMP
  • Met with various FedRAMP Board members individually while maintaining communication about the status and progress of changes
  • Presented to over 75 agency representatives at GSA’s Cloud & Infrastructure Community of Practice to share and collaborate on FedRAMP 20x updates
  • Presented at the CIO Council’s Analytics Community of Practice meeting on AI safety and performance evaluation
  • Discussed the future of FedRAMP, cloud security, and delivery in uncertain times with the HHS Administration for Children and Families Tech Team
  • Reengaged the FedRAMP Agency Liaison community with 85+ federal agencies represented
  • Supported internal GSA activities to finalize member selection and begin planning for 2025 Federal Security Cloud Advisory Committee meetings
  • Launched our official FedRAMP LinkedIn account with nearly a half dozen posts so far and growing…be sure to follow us on social media, including X/Twitter and YouTube
  • Began work on a new prototype web page, including the FedRAMP Marketplace, that is both accessible and modern
  • Engaged the FedRAMP Technical Advisory Group for continuous support on new initiatives and standards
  • Supported Federal Acquisition Regulation (FAR) revision initiatives to streamline acquisition regulations

Improving Standards

Every day the team is driving incremental but continuous progress:

  • Posted three proposed standards for public comment via our FedRAMP Request for Comment process
  • Determined that FedRAMP authorized cloud services that lose their only agency ATO will maintain FedRAMP authorization under most circumstances
  • Reviewed hundreds of comments from five outstanding requests for comment and published the resulting outcomes
  • Improved previous FedRAMP Boundary Guidance to produce a new proposed final standard for defining the boundary of FedRAMP authorizations based on public comment and changes to the operating environment
  • Developed a new draft standard to address devastating bottlenecks with significant change requests informed by stakeholder feedback and the Rev 5 Continuous Monitoring Working Group
  • Prepared a draft standard to demonstrate FedRAMP 20x with explicit criteria for achieving an automated FedRAMP Low authorization, informed by the Automating Assessments Working Group discussions
  • Finalized eligibility criteria for the first 20x pilots informed by stakeholder feedback
  • Explored leveraging existing industry-standard frameworks to meet FedRAMP 20x requirements in the Applying Existing Frameworks Working Group

Supporting GSA’s AI Priorities

Our small team of data scientists is constantly working to improve FedRAMP’s use of AI tools:

  • Developed an internal system using GitHub API and GSAi internal tool to review and prioritize GitHub comments, and create executive summaries
  • Participated in the performance evaluation of the GSAi tool and supporting models
  • Created GSA’s first living guide for larger-scale code generation for business applications in a safe and systematic manner
  • Created a lab environment with resources for Generative AI-based learning and prototyping
  • Created an API-first technology stack supporting near-realtime data activities and integration with modern technologies
  • Created an ontology and tool to extract structured information from complex scientific papers

Next Month: 20x Phase One Pilot & Continuous Improvement

The FedRAMP 20x Phase One pilot is open to the public:

Qualifying cloud service offerings that successfully complete Phase One will receive a 12-month FedRAMP Low authorization and will be prioritized for FedRAMP Moderate authorization in Phase Two. Federal agency sponsors are not required to participate in Phase One.

Learn more about the FedRAMP 20x Phase One pilot here.

In FedRAMP 20x, Key Security Indicators summarize the security capabilities expected of cloud-native service offerings to meet FedRAMP Low authorization requirements.

RFC-0006 Key Security Indicators proposes initial indicators for the 20x Phase One pilot and is open for public comment through May 25, 2025.

Significant change is afoot:

FedRAMP intends to replace the previous Significant Change Request process with an updated Significant Change Notification standard. The update asserts authorizations granted to cloud service providers include the authority to make changes that are in the best interest of agency customers without asking permission from an authorizing official in advance, in most cases.

RFC-0007 Significant Change Notification Standard is open for public comment through May 25, 2025.

Shifting perspectives on what used to be the FedRAMP Boundary:

The FedRAMP Minimum Assessment Scope Standard is an updated approach to determining what is included in a FedRAMP assessment and authorization. The approach avoids unnecessary detail to support FedRAMP’s ongoing shift from compliance-based to security-based decision making and assessment.

RFC-0005 Minimum Assessment Scope Standard is open for public comment through May 25, 2025.

Closing

We’ve done all of this while managing a shifting resource landscape, with the loss of many in our wider community that have been a part of the program for over a decade. As circumstances and priorities change across the government, our attrition rate is lower than anticipated a month ago. We said goodbye to many people this month, including four federal staff and 26 contracted security reviewers who supported FedRAMP for many years and recently completed a record-breaking three month review marathon that exceeded expectations.

Our team still has the right folks to deliver against FedRAMP 20x expectations and will continue to demonstrate our commitment through collaboration with stakeholders and continuous incremental delivery.

To have your voice heard about changes to the program, review and comment on our RFCs, join the discussion in our community working groups, and consider participating in our FedRAMP 20x Phase One pilot.

Back to Blogs

GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov