Skip to content
Explore the Latest in Smart TechTransform Your Business with Smart Tech

FedRAMP's 20x initiative receives initial approval on four projects

FedRAMP's director, Pete Waterman, reports that the initial trial of low-level authorizations has surpassed expectations within just a month.

 and  Administrator
3 min read
Federal pilot program for FedRAMP 2.0 achieves initial milestone with four approvals granted
Federal pilot program for FedRAMP 2.0 achieves initial milestone with four approvals granted

FedRAMP's 20x initiative receives initial approval on four projects

Modernizing Federal Cloud Security: FedRAMP 20x Takes Center Stage

The Federal Risk and Authorization Management Program (FedRAMP) has introduced a new approach to federal cloud security authorization, called FedRAMP 20x, in March 2025. This innovative process aims to significantly improve and modernize the federal cloud security authorization process, focusing on automation, collaboration, and continuous security validation.

The 20x process is designed as a cloud-native security assessment process, aiming to reduce bureaucratic delays and enable faster approvals. By automating compliance checks and shifting towards a security outcomes-focused model, the typical authorization timeline is expected to be cut from over a year to about five weeks.

FedRAMP 20x emphasizes several key aspects:

  1. Automation and continuous validation: Cloud service providers can continuously validate their security postures with real-time compliance evidence and automated workflows, moving away from static, manual compliance checks.
  2. Simplified, outcome-focused requirements: FedRAMP 20x shifts from a process-driven compliance model towards one focused on security outcomes, allowing for more flexible, collaborative, and adaptive approaches between agencies and cloud providers.
  3. Industry and public collaboration: FedRAMP 20x is developed in an open, public manner with active participation from industry stakeholders and federal agencies to iterate and refine the authorization model continuously.
  4. Cloud-native tooling and transparency: Early pilot participants publish validation processes publicly and leverage technologies like git-native workflows and Terraform-driven deployments for security automation, fostering transparency and auditability.
  5. Continuous vulnerability management: The program extends into continuous monitoring and vulnerability standards that promote automated detection, prioritization, and mitigation of security risks within precise timelines.

The FedRAMP program management office is accepting phase one pilot 20x applications until August 19. So far, about 14 cloud services packages are already in the queue under this pilot. The initial results of the 20x pilot have been successful, according to Pete Waterman, the director of the FedRAMP program.

In addition, the Office of Management and Budget updated the policy governing FedRAMP a year ago to address long-standing challenges with the cloud security program. As a result, FedRAMP has authorized more than 100 cloud services over the last year.

The FedRAMP program is also focusing on rethinking the process with the new administration's instructions. The goal is for vendors to demonstrate how they are protecting data or systems instead of telling it through a document. The 20x process focuses on legitimate security outcomes based on actual configurations.

The vulnerability management standards, which aim to help cloud services handle security risks and provide future guidance on identifying and addressing vulnerabilities, have also been introduced. The program management office may finalize these standards in a matter of weeks or a few months based on comments received.

The 20x process is expected to begin pilots for moderate level authorizations this fall and high authorizations in early 2026. The average agency authorization review queue remains under 15 cloud services with a typical review time of under five weeks.

The FedRAMP program underwent a significant change in the last year due to a new memorandum. The goal of the 20x pilot is to make the authorization process better, faster, and cheaper. The standards are a shift for FedRAMP towards being a security-based program rather than a compliance-based program.

Four vendors have received low authorizations under FedRAMP within the first four months of the pilot. The 20x process aims to provide a report that shows compliance with 80% of the requirements. The FedRAMP program kicked off a programmatic overhaul in March with an appeal for more industry input.

In conclusion, FedRAMP 20x represents a significant leap forward in federal cloud security authorization, promising to modernize the process, improve security, and reduce bureaucratic delays. The program's emphasis on automation, collaboration, and continuous security validation is expected to revolutionize the way cloud services are authorized and managed in the federal sector.

Technology plays a key role in the FedRAMP 20x process, with automation and continuous validation being critical aspects for ensuring compliance. Data-and-cloud-computing solutions are leveraged in this innovative approach to reduce bureaucratic delays and enable faster approvals.

The 20x process also emphasizes cloud-native tooling and transparency, as early pilot participants publish their validation processes publicly and adopt technologies like git-native workflows and Terraform-driven deployments to foster security automation, increase transparency, and promote auditability.

Read also:

    Related

    Latest