FedRAMP 20x launches: What you need to know
Gettyimages.com/ BlackJack3D
The cybersecurity program’s first major overhaul in more than a decade promises faster and automated approvals with the door being potentially more open for new entrants, writes Amanda Mull of immixGroup.
In March, the General Services Administration announced that the Federal Risk and Authorization Management Program aka FedRAMP will be working with industry on a cloud-native approach to authorizations.
Dubbed FedRAMP 20x, the initiative has just concluded its soft launch. Industry needs to stay on top of these changes. Here are some important things to know.
There are two goals for the FedRAMP 20x changes. First is to simplify and hasten automated authorization, lowering costs for both the applicants and the government, while improving security. Second is to address the needs for simple and low-impact cloud services to have an application process that has fewer sponsorship and application requirements. For cloud service offerings with higher impact levels or complexity, agency sponsorship is still required.
In specific cases, cloud service providers can now submit documentation and automated validation directly to FedRAMP before being added to the FedRAMP Marketplace.
These changes should help remove competitive disadvantages to encourage small businesses and cutting-edge technological services to seek and obtain FedRAMP approvals.
The revisions are crucial for cloud service providers selling to the U.S. federal government. It helps ensure they meet security standards for protecting government information and can obtain FedRAMP certification and enter the marketplace commensurate with the speed of technological advancements.
The FedRAMP 20x announcement is the result of a 2024 overhaul to FedRAMP processes, after more than 10 years. Among the most significant changes has been the expansion of the program management office to add federal technical experts with cloud services and security backgrounds. These new additions to the PMO range from security specialists to platform and software engineers, to data scientists, and communication strategists.
As mentioned earlier, the 20x Phase One pilot had its soft launch in May, with formal submissions to come soon, according to FedRAMP. In the meantime, eight cloud service providers have shared public drafts of their 20x package for community review. More than 30 cloud service providers have notified FedRAMP of their intent to submit a 20x Phase One package.
Updated FedRAMP guidance
Public comments have been integrated into the formal FedRAMP standards, with the following actions:
Key Security Indicators (KSI): This standard summarizes the security capabilities necessary for FedRAMP Low authorization of cloud-native SaaS offerings. All FedRAMP 20x pilot authorizations and formal pilot submissions must now be aligned to this standard.
Minimum Assessment Scope (MAS): This provision offers guidance for cloud service providers to narrowly define information resource boundaries, while still including all necessary components.
As for the continued evolution of FedRAMP, the organization released some additional clarifying information:
“FedRAMP agency authorization is now based exclusively on FedRAMP Rev. 5 baselines. According to FedRAMP, companies and agencies with active investments in achieving FedRAMP authorization via this path “are encouraged to evaluate the progress of FedRAMP’s efficiency improvement initiatives to make their own informed decisions.”*
FedRAMP plans to collaborate with industry to build and continually improve the new FedRAMP 20x cloud-native authorization process. This largely automated process should allow companies to validate the underlying security of their services.
The new FedRAMP PMO is moving forward with a mandate to maximize efficiency. The office is focused on clearing the agency authorization backlog. Consequently, according to information from the organization, “nearly all other previously discussed work has been stopped.”
Community input
FedRAMP currently has a community working groups page, where interested parties can get information about public engagement and collaboration plans. The page invites industry participation in biweekly Zoom meetings and includes open Q&A in each session. Community working groups provide an opportunity to influence development of new FedRAMP authorization processes.
The community working groups page currently has two active groups that are open to the public. These working groups interact in public on GitHub discussions with biweekly summary recap sessions hosted on Zoom by FedRAMP.
- FedRAMP 20x focuses on exploring how FedRAMP can rely on automated validations to the greatest extent possible and simplify documentation and management requirements by relying on existing best practices and commercial security frameworks.
- FedRAMP Rev. 5 focuses on grounding all Rev. 5 authorization and monitoring processes in modern security practices; and revising and modifying the existing approach to enable commercial cloud providers to better deliver their services to the government.
Other resources for FedRAMP information
FedRAMP has posted several other resources on their website for stakeholders and third parties to stay abreast of the changes in the program:
The FedRAMP 20x page. Get information on the new authorization process, information on pilot eligibility and next steps.
The FedRAMP 20x Engagement page. Explore past and future public events, press coverage and podcast interviews.
The FedRAMP 20x Frequently Asked Questions page. View the official answers to commonly asked questions about FedRAMP 20x.
The Changelog page tracks significant information updates all in one place.
FedRAMP is focused on helping ensure all stakeholders have equal and fair access to information as changes ensue. While they will address questions transparently in the Community Working Groups, FedRAMP does not privately provide answers to individual parties.
An overhaul as comprehensive as this will undoubtedly be somewhat confusing to follow in its early days. Ultimately, however, this new approach will help establish more streamlined ways for industry to demonstrate the security of their cloud-based solutions, leading to better engagements with federal agencies.
Amanda Mull is a federal contract specialist for immixGroup, the public sector business of Arrow Electronics. immixGroup delivers mission-driven results through innovative technology solutions for public sector IT. Visit www.immixgroup.com for more information.