The program will focus on partnership with industry to develop a cloud-native approach to authorizations, the U.S. General Services Administration (GSA) announced Monday.
This initiative, known as FedRAMP 20x, aims to make the automated authorization process easier and cheaper while improving security.
The announcement highlighted several changes that are being made to the program. For example, there will be no federal agency sponsor needed for what are described as “simple, low-impact service offerings.” The program changes mean to enable “turnkey adoption” for simple cloud-native environments. They are also intended to ensure that there will be no unnecessary or duplicative paperwork. The announcement touts “engineer-friendly security requirements.” And, it argues that the program changes will ensure authorization within weeks for most cloud offerings.
Along with the announcement, GSA released a FedRAMP 20x Industry Engagement Kit to educate stakeholders on the changes in the program and how cloud providers can become authorized.
“We’re not just modernizing a process; we’re reimagining how federal cloud security can work and providing agencies the ability to determine their own risk posture,” Technology Transformation Services Director Thomas Shedd, who is also deputy commissioner of the Federal Acquisition Service, said in a statement.
Existing FedRAMP-authorized cloud service offerings will be designated as FedRAMP Revision 4- or Revision 5-authorized until, and unless, they update to a newer 2025 or higher baseline, according to the kit.
Core principles that guide this new initiative include GSA’s role in setting the foundation for private-sector innovation, eliminating “red tape” through automation, enabling faster, more secure cloud adoption, and allowing for increased flexibility and improved collaboration.
“This initiative will lower vendor costs, increase competition, and build greater trust with industry,” said Carrie Lee, a member of the FedRAMP Board who is also chief product officer and deputy CIO, Product Delivery Service, in the Office of Information and Technology at the U.S. Department of Veterans Affairs.
Working groups will be held in late March and early April, to gather industry input and share information and guidance prior to the formal comment period, for any draft guidance. FedRAMP will sponsor and host the working groups.
FedRAMP 20x will be improved and updated on a yearly basis according to the kit. Changes can be monitored on the program website.
