How FedRAMP 20x can cut the red tape that stymies cloud adoption 

The U.S. General Services Administration (GSA) recently announced a much-anticipated overhaul of the government’s cloud products certification program. Initially launched in 2011, the Federal Risk and Authorization Management Program (FedRAMP) was designed as a centralized clearinghouse for federal entities adopting secure cloud solutions and services. Instead, unclear requirements, high costs, and years-long authorization timelines created a market barrier that disproportionately favored cloud-native providers and hyperscalers, severely limiting the government’s access to various cloud tools.

The new FedRAMP 20x strategy aims to fix this. Its five key goals, which are designed to significantly reduce timelines from months or years to weeks while maintaining high security standards, were enthusiastically greeted by federal CISOs and industry vendors.

If successful, FedRAMP 20x has the potential to be the poster child for modern governance. Leveraging speed through automation, reciprocity without the red tape, and fit-for-purpose certifications for enhanced flexibility will create the necessary conditions to expedite secure cloud products for the federal government.

An expedited process through automation 

Historically, FedRAMP assessments were done manually. Mountains of documentation and duplicative testing slowed the authorization process, often taking up to 24 months. For smaller vendors and non-cloud-native companies, these conditions created enormous burdens. This process created a lose-lose situation (for the better part of a decade) that limited federal entities from deploying the tools necessary to execute their missions against the growing tide of cyber threats. 

GSA’s new validation tools will automate the security compliance process by which applicants can map against FedRAMP baselines using machine-readable templates that support continuous monitoring. This upgrade provides multiple benefits of a dynamic and scalable system that systematically reduces the authorization timeline while maintaining a mature security posture over the long run. Accelerating the review cycle by eliminating manual reviews will drive resiliency across the federal enterprise through the faster deployment of new tools.

Reciprocity without red tape

A FedRAMP Authority to Operate (ATO) previously required an agency sponsorship to begin the process officially. This often resulted in multiple agencies conducting redundant reviews despite having similar needs, further compounding inefficiencies through duplication of efforts that ultimately slowed the process for everyone. 

FedRAMP 20x cuts this red tape by eliminating the sponsorship requirement. Vendors can submit their documents directly to the FedRAMP Project Management Office (PMO), creating a centralized fast-track process that ensures ATO reciprocity across the federal enterprise, including 15 executive departments and 441 agencies.

Fit-for-purpose flexibility

FedRAMP 20x embraces the fact that not every federal system requires the same service configuration and level of security.

Rather than forcing vendors into a one-size-fits-all model that doesn’t provide the necessary flexibility for non-cloud-native companies with legacy IT architecture, this new approach accepts compliance documentation such as ISO 27000 or SOC2, giving vendors the latitude to offer modular, risk-based offerings that better align with the federal entity’s various operational needs. 

The path ahead – zoom zoom!

“Our partnership with the commercial cloud industry needs serious improvement,” GSA Acting Administrator Stephen Ehikian said in her announcement of the overhaul. “Strengthening this relationship will help us fulfill our commitment to cutting waste and adopting the best technologies to modernize the government’s aging IT infrastructure. FedRAMP 20x will give agencies access to the latest technology now – not months or years down the road.” 

FedRAMP 20x represents a significant breakthrough as the federal IT landscape is not cloud-native by design but a mix of complex architectures vulnerable to attacks from malicious actors, misconfigurations and digital consolidation. Federal entities rely on a mosaic of on-premises assets, legacy infrastructure, operational technology (OT) and cloud to execute their missions. Mandates for zero-trust deployment policies and technical solutions require the entire attack surface, not just cloud workloads, is locked down. Once deployed, FedRAMP 20x’s risk-based, modular approach will transform the certification process into an autobahn where ATO could even be achieved as fast as a fortnight. 

Bottom line: FedRAMP 20x unlocks and accelerates the federal government’s progress toward achieving zero-trust architectures. These architectures build operational resiliency and ensure that entities recover from incidents in record time with minimal impact.