What happens to the current FedRAMP process?
Cloud Service Providers and federal agencies may continue to work together to perform “sponsored” FedRAMP Agency Authorizations against traditional FedRAMP Rev5 baselines and FedRAMP will accept these authorizations until a formal end-of-life timeline is announced. This means:
- The FedRAMP PMO and Board will not provide updated technical assistance or guidance for implementation of the Rev5 baselines after March 2025.
- The FedRAMP PMO will stop performing in depth “triple check” reviews of FedRAMP Rev5 packages after March 2025. Agencies will be expected to review the package in depth and make their own risk assessment without the opinion of the PMO.
- The FedRAMP PMO will halt the limited centralized continuous monitoring of former JAB-authorized FedRAMP Rev5 cloud service offerings after March 2025 and authorizing agencies will be responsible for monitoring. A Community Working Group will coordinate with industry to update this process.
What is FedRAMP 20x?
FedRAMP 20x is an initiative to partner with industry to build a cloud-native continuous security assessment that’s as simple as your cloud service offering - or as complex as needed. This new approach seeks to evaluate the outcomes of automated monitoring and enforcement of commercial security best practices to meet the minimum security requirement for federal information systems.
Why this and why now?
We’ve heard your feedback that the FedRAMP authorization process is too expensive, time-consuming, and challenging. GSA is dedicated to bringing more cloud services to government while effectively managing risks. As part of the Trump-Vance transition towards increased government efficiency, we are transitioning away from costly, inefficient, manually compiled documentation and towards industry-led, data-driven security reporting.
What are the next steps? When will FedRAMP 20x be implemented?
Technical assistance and guidance for FedRAMP 20x will be formalized on a rolling basis as the pilot is validated by the Community Working Groups. Each piece of guidance will go through formal public comment before it is made official and open to use by industry and other agencies.
What about existing FedRAMP authorized cloud service offerings?
All currently authorized cloud service offerings will be designated as FedRAMP Rev. 4 or Rev. 5 Authorized until they update to a newer 2025 or higher baseline.
I’m a new cloud provider. How do I get authorized today?
The only available route to FedRAMP authorization today is the Rev. 5 Agency Authorization path outlined on the FedRAMP website: https://www.fedramp.gov/rev5/agency-authorization/.
Will FedRAMP 20x remain the same in 2026, 2027, etc.?
FedRAMP will be continuously improved and updated on a yearly basis. FedRAMP 20x is initially focused on cloud-native software-as-a-service, deployed on an existing FedRAMP Authorized cloud service offering using entirely or primarily cloud-native services, with minimal or no third party cloud interconnections.
What if I’m not able to join a Community Working Group? Can I still provide feedback?
Absolutely; while the Community Working Groups will work to validate initial ideas and encourage adoption, there will be an opportunity to share your feedback on any draft guidance during the formal public comment period. This approach allows room for continuous iterations before the first phase of FedRAMP 2025 launches.
How will it work for a cloud service provider currently in the authorization pipeline?
Cloud service providers and federal agencies may continue to work together to perform “sponsored” FedRAMP Agency Authorizations against traditional FedRAMP Rev. 5 baselines and FedRAMP will accept these authorizations until a formal end-of-life timeline is announced. However, FedRAMP will not provide updated technical assistance or guidance for implementation of the Rev. 5 baselines. Agencies will be expected to review the package in depth and independently make their own risk assessment.
How can I be sure to get notified of FedRAMP 20x changes?
FedRAMP believes in transparency and open collaboration. Be sure to follow along with our progress on GitHub link and through our Change Log on fedramp.gov/changelog.
Will new cloud service providers need an agency “sponsor”?
FedRAMP 20x involves submitting both documentation and automated validation directly to FedRAMP before the cloud service offering is added to the FedRAMP Marketplace for hundreds of agencies to choose from. Once in the marketplace it will be up to agencies using a cloud service offering to authorize operation of the service as usual.
