The federal government is overhauling the program that sets security and other standards that cloud service providers (CSPs) must meet to win contracts with government agencies with the goal of streamlining the approval process through greater automation and fewer obstacles.
The General Service Administration (GSA) this week kicked off FedRAMP 20x, an initiative aimed at easing the path for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and myriad other CSPs that want to do business with the government and find a place in the FedRAMP Marketplace.
Key aspects of the program include the greater use of automation technologies to speed up the approval process, a goal that will also be helped by simplifying and clarifying the security requirements. GSA officials want to reduce the amount of time needed to get FedRAMP approval from months or years to weeks.
Other factors include simplifying authorization by no longer requiring that a federal agency sponsor a CSP for what the GSA calls “simple, low-impact services offerings” and using existing security certifications to prove that standards for systems are met.
Measuring the Need of CSPs
The agency is also shifting the focus to cloud providers’ needs, including making continuous monitoring more decentralized and based on the CPS’ terms and allowing providers to work more independently with an agency after the cloud program has been adopted. The security requirements will be “engineer-friendly” and “easy to implement,” according to the agency.
“We’re not just modernizing a process; we’re reimagining how federal cloud security can work and providing agencies the ability to determine their own risk posture,” Thomas Shedd, director of the Technology Transformation Services and deputy commissioner of the Federal Acquisition Service, said in a statement. “FedRAMP 20x represents our commitment to cutting through complexity, empowering innovation, and ensuring that security keeps pace with technological advancement. FedRAMP 20x will keep driving faster, smarter, and more customer-focused service for years to come.”
The move to automation – and the expected acceleration of the approval process – could also help lower the cost of certification, which some estimates place at an average of $1 million. It could also grow the number of FedRAMP-validated services offered through the program. There currently are 386 authorized services offered in the FedRAMP Marketplace.
Automation Takes Center Stage
The shift from manual to automated compliance checklists is a key part of the effort. The agency wants to use automated validation for more than 80% of the program’s security requirements, replacing the written explanations that are currently used.
In addition, “industry partners will provide continuous simple standardized machine readable validation of the things that really matter,” the GSA wrote. “Automated enforcement and secure-by-design principles will prevent mistakes or bad decisions.”
'A Complete Paradigm Shift'
The move from manual to automated processes is an important step, according to Shrav Mehta, founder and CEO of automated compliance vendor Secureframe, who called it “nothing less than a complete paradigm shift.”
“The move to automated compliance marks a significant evolution in security verification,” Mehta told MSSP Alert. “Traditional, episodic assessments create gaps in security, whereas continuous monitoring offers real-time visibility into potential threats.”
It also aligns with the industry-wide trend toward continuous verification as organizations move away from static, point-in-time assessment, Mehta said. Commercial frameworks like SOC 2 and ISO 27001 are making the same change, which he said strengthens security while making compliance processes more efficient.
“Adversaries act in real time, exploiting vulnerabilities quickly, whereas traditional point-in-time assessments miss critical threats due to their reliance on sampling,” Mehta said, adding that “agencies and contractors should recognize that while FedRAMP is evolving structurally, its fundamental purpose remains unchanged.”
MSSPs Need to Get Involved
The shifts in FedRAMP are also important to MSSPs and MSPs, which will be important in implementing automation compliance, he said. That said, there are steps they’ll need to take as the new FedRAMP model evolves, including expanding their capabilities to include continuous monitoring infrastructure that generates real-time dashboards and making their own shift toward automated verification systems.
They also need to reorient service delivery toward interpreting security data and strategic guidance and participate in the industry working groups that the GSA is creating to influence the development of technical standards.
“This transition creates strategic differentiation opportunities for forward-thinking service providers who embrace automation-centric compliance approaches,” Mehta said, adding that they’ll gain a competitive edge by helping organizations navigate the changing compliance landscape.
