Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Kate GrowleyPhoto of Nkechi KanuPhoto of Jacob Harrison

On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. 

What is FedRAMP?

FedRAMP is a federal government-wide compliance regime that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies or for federal government information. Through security assessments, cloud service providers (CSPs) obtain authorizations confirming that their cloud products and services are compliant with FedRAMP baseline security requirements.

The FedRAMP website explains that FedRAMP 20x was driven by Trump administration efficiency goals and industry feedback that the current FedRAMP authorization process is “too expensive, time-consuming, and challenging.” The current process requires CSPs to obtain a federal agency sponsor, rigorously document compliance with hundreds of technical controls, and establish continuous monitoring programs to verify that they maintain compliance with FedRAMP requirements following authorization.

What is FedRAMP 20x proposing?

FedRAMP 20x is in the very early stages of its development and most details regarding implementation and timing don’t appear to be finalized, but FedRAMP has shared a few elements, summarized below.

  • The current agency sponsorship authorization pathway will remain open (for now). FedRAMP will continue to process authorizations submitted through the agency sponsorship pathway while FedRAMP 20x is in development, but it will process agency sponsorship authorizations on an accelerated timeline with less-rigorous checks starting after March 2025. FedRAMP also stated that it intends to process all authorizations currently pending within the next few weeks.
  • Assessments and continuous monitoring that rely heavily on automation. FedRAMP 20x proposes security assessments and continuous monitoring relying heavily on automated validation instead of expansive documentation and compliance narratives. FedRAMP 20x will aim for “80%+” of requirements to have automated validation and for compliance with FedRAMP controls to be documented mostly in machine-readable format instead of narratives.
  • Simplified and tailored technical controls. “Key Security Indicators” (KSIs), described by FedRAMP as “straightforward, measurable and comparable translations of traditional controls” are to be developed in conjunction with industry, designed to be verifiable via automation, and may be tailored to focus on security functions relevant to the cloud service or product seeking authorization. FedRAMP’s apparent intent is for KSIs to supplant the NIST SP 800-53, Revision 5 security controls that undergird the current FedRAMP assessment process, as the FedRAMP website explains that FedRAMP “will not provide updated technical assistance or guidance for implementation of the Rev. 5 baselines after March 2025.”
  • Looking to industry to support assessment and enforcement efficiency. FedRAMP 20x seeks to lean heavily on commercial partners to shape its policies and processes, including by looking to industry to provide tools and solutions geared towards automated validation and to participate in FedRAMP 20x community working groups centered around public GitHub repositories.

What does FedRAMP 20x mean for federal government cloud service providers?

FedRAMP 20x does not make immediate changes to FedRAMP’s fundamental structure. Instead, by promoting FedRAMP 20x, FedRAMP aims to modernize their authorization process real-time with active participation and input from cloud service providers and other stakeholders. Cloud service providers who do business with the federal government should consider:

  • Engaging in the FedRAMP 20x community working groups, which are set to launch over the next three weeks.
  • Exploring potential procurement or commercial business opportunities arising from FedRAMP 20x, especially with regard to cloud service features, tools, and other functions that could support automated assessment and validation processes.
  • Monitor closely for further updates regarding the existing authorization process and the status of current authorization holders.
Tags: Cloud, compliance, FedRAMP
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Read more about Evan D. Wolff
Show more Show less
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Read more about Nkechi Kanu
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
The Top FCA Developments of 2023
March 12, 2024
August 2023 Bid Protest Sustain of the Month
October 27, 2023
FAR Council’s Cyber Harvest: New Incident Reporting and Federal Information System Requirements Await Government Contractors
October 4, 2023