FedRAMP 20x: Proposed Framework Aims To Increase Automation and Efficiency

On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. 

What is FedRAMP?

FedRAMP is a federal government-wide compliance regime that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies or for federal government information. Through security assessments, cloud service providers (CSPs) obtain authorizations confirming that their cloud products and services are compliant with FedRAMP baseline security requirements.

The FedRAMP website explains that FedRAMP 20x was driven by Trump administration efficiency goals and industry feedback that the current FedRAMP authorization process is “too expensive, time-consuming, and challenging.” The current process requires CSPs to obtain a federal agency sponsor, rigorously document compliance with hundreds of technical controls, and establish continuous monitoring programs to verify that they maintain compliance with FedRAMP requirements following authorization.

What is FedRAMP 20x proposing?

FedRAMP 20x is in the very early stages of its development and most details regarding implementation and timing don’t appear to be finalized, but FedRAMP has shared a few elements, summarized below.

• The current agency sponsorship authorization pathway will remain open (for now). FedRAMP will continue to process authorizations submitted through the agency sponsorship pathway while FedRAMP 20x is in development, but it will process agency sponsorship authorizations on an accelerated timeline with less-rigorous checks starting after March 2025. FedRAMP also stated that it intends to process all authorizations currently pending within the next few weeks.
• Assessments and continuous monitoring that rely heavily on automation. FedRAMP 20x proposes security assessments and continuous monitoring relying heavily on automated validation instead of expansive documentation and compliance narratives. FedRAMP 20x will aim for “80%+” of requirements to have automated validation and for compliance with FedRAMP controls to be documented mostly in machine-readable format instead of narratives.
• Simplified and tailored technical controls. “Key Security Indicators” (KSIs), described by FedRAMP as “straightforward, measurable and comparable translations of traditional controls” are to be developed in conjunction with industry, designed to be verifiable via automation, and may be tailored to focus on security functions relevant to the cloud service or product seeking authorization. FedRAMP’s apparent intent is for KSIs to supplant the NIST SP 800-53, Revision 5 security controls that undergird the current FedRAMP assessment process, as the FedRAMP website explains that FedRAMP “will not provide updated technical assistance or guidance for implementation of the Rev. 5 baselines after March 2025.”
• Looking to industry to support assessment and enforcement efficiency. FedRAMP 20x seeks to lean heavily on commercial partners to shape its policies and processes, including by looking to industry to provide tools and solutions geared towards automated validation and to participate in FedRAMP 20x community working groups centered around public GitHub repositories.

What does FedRAMP 20x mean for federal government cloud service providers?

FedRAMP 20x does not make immediate changes to FedRAMP’s fundamental structure. Instead, by promoting FedRAMP 20x, FedRAMP aims to modernize their authorization process real-time with active participation and input from cloud service providers and other stakeholders. Cloud service providers who do business with the federal government should consider:

• Engaging in the FedRAMP 20x community working groups, which are set to launch over the next three weeks.
• Exploring potential procurement or commercial business opportunities arising from FedRAMP 20x, especially with regard to cloud service features, tools, and other functions that could support automated assessment and validation processes.
• Monitor closely for further updates regarding the existing authorization process and the status of current authorization holders.