April 7, 2025

GSA Announces Overhaul of FedRAMP with Emphasis on Industry Input and Automation

Holland & Knight Government Contracts Blog
Holly A. Roth | Amy L. Fuentes | Tanner N. Slaughter | Ben Smith
Government Contracts Blog

The U.S. General Services Administration (GSA) recently announced plans to develop the Federal Risk and Authorization Management Program (FedRAMP) 20x – a new approach to the governmentwide program for the security assessment, authorization and continuous monitoring of cloud service provider products used by federal government agencies. FedRAMP provides a standardized, reusable approach to security assessment and authorization for cloud service offerings. GSA's introduction of FedRAMP 20x represents a pivotal shift for government contractors, particularly those involved in cloud services. This new approach aims to streamline the security assessment and authorization processes for cloud service providers, significantly enhancing their ability to access federal contracts. Notably, FedRAMP 20x emphasizes automation and industry engagement with the intent to foster a more efficient and collaborative environment, ultimately reducing regulatory burdens and expanding access to the federal marketplace. For government contractors, these changes promised increased efficiency, market access and potentially elevated cybersecurity standards across the industry.

Summary of FedRAMP 20x Plans

FedRAMP was originally created in 2011 by GSA following a directive from the Office of Management and Budget (OMB) to provide a cost-effective, risk-based approach for the adoption and use of cloud services for federal executive departments and agencies. Currently, the traditional FedRAMP Agency Authorization process is the only path to FedRAMP authorization today. In the Agency Authorization path, federal agencies work directly with a cloud service provider (CSP) for authorization. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.

The rollout of FedRAMP has come with challenges for both agencies and industry, leading to delays in receiving authorization. GSA's announcement signals an intent to address these issues by building a new cloud-native approach to FedRAMP authorization with industry and entirely in public – i.e., FedRAMP 20x – with the goal of allowing contractors to navigate federal security requirements and receive authorization in weeks.

FedRAMP has announced the following five key goals in developing FedRAMP 20x:

  1. the utilization of automation to simplify the application and validation of FedRAMP security requirements
  2. leverage existing industry investments ins security by inheriting best-in-class commercial security frameworks
  3. continuously monitor security decisions using a "hands-off" approach
  4. build trust between industry and federal agencies by leaning into the direct business relationships between providers and customers
  5. enable rapid continuous innovation without artificial checkpoints that halt progress

Some already notable announced anticipated changes to FedRAMP in FedRAMP 20x include:

  • Agency sponsorship will no longer be necessary.
  • Cloud providers will be able to use existing security certifications to prove system security standards are met.
  • FedRAMP authorizations will take weeks instead of months or years.
  • FedRAMP 20x will allow CSPs to submit documentation and automated validation directly to FedRAMP prior to being added to the FedRAMP marketplace.

Focus on Utilization of Industry Engagement

To meet its goals, GSA has created Community Working Groups (CWGs) as a mechanism to engage directly with GSA FedRAMP experts and share information while working on shared goals. These groups aim to create solutions that meet FedRAMP standards and policies, with a focus on industry engagement from CSPs to determine commercial best practices and automation. GSA has launched four initial CWGs:

  • 5 Continuous Monitoring. Developing continuous monitoring reports by cloud service providers with FedRAMP Rev. 5 authorizations to meet agency needs.
  • Applying Existing Frameworks. Examining how policies and documentation created by industry can be applied directly to FedRAMP without separate processes.
  • Automating Assessment. Creating industry standards and tools to automate assessment, reporting and/or enforcement of technical controls.
  • Reporting Continuously. Identifying optimal mechanisms for CSPs to communicate directly with customers about continuous improvement without significant change requests.

To facilitate the exchange of information, CWGs will engage with the public through both meetings and a shared workspace that contain the latest developments.

Focus on the Development of Automation Capabilities

GSA also intends to utilize automation to simplify its processes through FedRAMP 20x. Notably, FedRAMP claims that under FedRAMP 20x "80 percent+ of requirements will have automated validation without the need to write a single word about how it works, compared to 100 percent of current controls requiring narrative explanations." Similarly, GSA intends to ensure FedRAMP 20x is able to configure CSPs systems to create an automated security monitoring system.

Key Takeaways

  • Continue Business as Usual. Though GSA has announced these anticipated plans to the FedRAMP program, no changes have occurred yet. Until a formal end-of-life timeline is announced, CSPs may continue to use the current process that requires agency sponsorship for FedRAMP authorization.
  • Technical Assistance for Rev. 5 Baselines Has Ended. Although these changes are still pending, GSA has announced that FedRAMP will no longer provide update technical assistance to the current Rev. 5 baselines or perform "triple check" reviews of the current FedRAMP Rev. 5 packages.
  • Unique Public Opportunity to Shape the Future of the FedRAMP Program. FedRAMP's CWGs present a great opportunity for industry stakeholders to work hand in glove with key FedRAMP employees and shape future requirements.
  • Emphasis on Efficiency of Process to Expand Access to the FedRAMP Marketplace. The overriding focus of FedRAMP 20x is improving the efficiency of the FedRAMP authorization process and reducing the regulatory burden on CSPs in the FedRAMP marketplace. If successful, FedRAMP's efforts will create an industry-friendly program that should attract more cloud service providers to the federal procurement space.
  • Updates to FedRAMP Are Important for all Contractors Using Cloud-Based Storge Systems – Not Just CSPs. FedRAMP 20x may create uniform industry cybersecurity standards for cloud service providers, as well as cloud-based storage , whichmay have downstream effects. These changes may impact GovRAMP, the program that establishes cybersecurity standards for cloud service providers used by state procurement entities, as well as likely changes to minimum cybersecurity requirements for controlled unclassified information (CUI) that will be stored on cloud-based servers.
  • FedRAMP 20x May Provide Insight into How the Federal Government will Utilize Artificial Intelligence (AI) to Improve Efficiency. Though FedRAMP does not expressly claim that it will leverage AI for developing FedRAMP 20x, the emphasis on future automating tasks such as authorization and continuous monitoring seem ripe for the use of AI – particularly for automating validation. The implementation of FedRAMP 20x could showcase how the federal government intends to leverage AI tools in the cybersecurity sphere.

Related Blog

Government Contracts Blog

Editors

Gordon Griffin Holly A. Roth Jeremy D. Burkhart

Related Practices

Government Contracts Artificial Intelligence Technology Data Strategy, Security & Privacy Tech & Data Transactions Regulatory and Federal Litigation Compliance Services

Related Industry

Technology & Telecommunications
Subscribe to Updates and Events
Click to Sign Up

Related Insights

View More