Skip to main content

FedRAMP 20x

FedRAMP 20x describes key goals for a new assessment process that will be designed by FedRAMP in collaboration with industry stakeholders and agency experts. Community Working Groups will drive industry innovation to provide the solution.

These five key goals include:

1. Make it simple to automate the application and validation of FedRAMP security requirements.

  • 80%+ of requirements will have automated validation without the need to write a single word about how it works, compared to 100% of current controls requiring narrative explanations
  • Technical controls will make sense and match standard configuration choices
  • Industry will provide solutions and competition for varying business needs with FedRAMP aligning standards

2. Leverage existing industry investments in security by inheriting best-in-class commercial security frameworks.

  • New documentation required for FedRAMP will be reduced to a few pages if companies provide existing security policies, change management policies, and other documentation
  • Community working groups will design optional templates that can be modified by companies to provide the foundation for remaining requirements with the approval of FedRAMP
  • Industry will provide tools to document complex technical systems by code, not narrative, that meet FedRAMP standards

3. Continuously monitor security decisions using a simple, hands-off approach.

  • Industry partners will provide continuous simple standardized machine readable validation of the things that really matter
  • Automated enforcement and secure-by-design principles will prevent mistakes or bad decisions
  • Community working groups will collaborate with FedRAMP to ensure a consistent approach across industry

4. Build trust between industry and federal agencies by leaning into the direct business relationships between providers and customers.

  • Cloud service providers and agencies will interact directly over established business channels to review and maintain security
  • Industry trade groups can band together to establish shared procedures that work best for them, or companies can set out alone, as long as minimum requirements set by FedRAMP are met
  • Businesses will maintain control of their intellectual property and make their own decisions on how it can be shared

5. Enable rapid continuous innovation without artificial checkpoints that halt progress.

  • Industry will implement enforcement systems that ensure security is constantly in place; annual assessments will be replaced by simple automated checks
  • Significant changes that follow an approved established business process won’t require additional oversight
  • Industry will help FedRAMP establish clear, consistent guidelines for making big changes that level the playing field between companies without ghost regulations
GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov