GSA launches FedRAMP revamp

The General Services Administration launched FedRAMP 20x Monday, an effort it is pursuing with industry to use more automation and cut red tape around the government’s cloud security assessment and authorization program. 

The Federal Risk and Authorization Management Program, or FedRAMP, is used to ensure services offered by cloud providers meet certain cybersecurity requirements before government agencies can use them.

“Our partnership with the commercial cloud industry needs serious improvement. Strengthening this relationship will help us fulfill our commitment to cutting waste and adopting the best available technologies to modernize the government’s aging IT infrastructure,” Stephen Ehikian, acting administrator of the General Services Administration, which runs FedRAMP, said in a statement. “FedRAMP 20x will give agencies access to the latest technology now — not months or years down the road.”

A major focus of the change is moving from manual compliance checklists to automated security validations, as Nextgov/FCW reported last week. The goal is to have automated validation for over 80% of the program’s security requirements, as opposed to written explanations, GSA says. Instead of annual assessments, there will be automated checks.

The legislation officially authorizing FedRAMP, included in the 2023 must-pass defense policy bill, also tasked the program with speeding up cloud authorizations by using automation, a to-do item that was also included in revamped guidance for the program last summer.

GSA is also getting rid of requirements for a federal agency sponsor for simple, low-impact service offerings and is aiming to finish authorization in weeks for most cloud offerings, it says.

The updates to the program come as the team running it — and its budget — has shrunk as GSA writ large sheds employees, FedRAMP director Pete Waterman acknowledged at an industry event on Monday, held by the Alliance for Digital Innovation, before emphasizing the need for change. 

“The reality is that FedRAMP is so expensive and burdensome right now that most companies never consider it,” he said. “FedRAMP today is not meeting our needs… Why is it so hard? It’s because FedRAMP is rooted in the past.”

Rep. Gerry Connolly, D-Va., the top Democrat on the House Oversight and Government Reform Committee and author of the FedRAMP Authorization Act, told Nextgov/FCW that the Trump administration hasn’t yet consulted Congress on these changes, calling it “a radical departure from the longstanding partnership between Congress and the Executive Branch on this issue.”

“The Administration must provide clear assurance that it will result in effective and rigorous security outcomes,” he said.

On the contractor side, David Appel, Vice President of U.S. Federal at AWS, told Nextgov/FCW that “AWS looks forward to working with GSA as they modernize the program and drive updated security practices.”

“Google welcomes FedRAMP 2025’s focus on maximizing automation and zero trust to make the best technology rapidly and securely available for federal government use,” said Chris DeRusha, Director of Global Public Sector Compliance for Google Cloud.

“Increased government efficiency and transformation are imperative for all agencies as they work to modernize legacy technology, streamline complex processes, and improve operations. ServiceNow strongly supports streamlining the FedRAMP program, which will expedite the adoption of secure, innovative technologies across government,” said Jonathan Alboum, ServiceNow's Federal CTO.

Waterman emphasized the role of industry in these changes to FedRAMP on Monday, saying that “FedRAMP will set the standards that enable private innovation to create the solution.”

“That's how we'll develop and continuously improve a standardized, reusable, cloud-native approach to security assessment and authorization for cloud services,” he said. “This direction moves FedRAMP away from previous plans to centralize authority and services within the FedRAMP PMO so that we can focus on this mission.”

Next week, GSA is launching four public, community working groups. Moving forward, “technical assistance and guidance for FedRAMP 20x will be formalized on a rolling basis as the pilot is validated by the Community Working Groups,” GSA says. 

For now, contractors and agencies can continue to work against “traditional FedRAMP Rev5 baselines” to do “sponsored” agency authorizations until GSA announces a formal, end-of-life timeline, according to the agency.

 Editor's note: This story has been updated to include further details about the change. 

Frank Konkel contributed to this report.