FedRAMP’s New Chapter: What to Expect from the 20x Pilot Program

This week marks the beginning of an exciting new era as FedRAMP launches a transformative pilot initiative. Its proposed changes, announced yesterday during a public forum, represent a significant shift in how cloud service providers (CSPs) achieve federal authorization, with the intent of removing barriers and complexity to more rapidly achieve FedRAMP status.

The main takeaways?

The FedRAMP market is open for business. The current Rev 5 Agency-based authorization remains the only active path to FedRAMP, but now is the time to pursue FedRAMP certification aggressively, as the timeline for certification will be lowering substantially.

Automation is more critical than ever. Make sure you have a trustworthy, scalable automation plan for continuous monitoring.

Join the public working groups. The government is actively seeking your input and participation. More on this below! The FedRAMP pilot program may be a major step forward for both CSPs and federal agencies — but what does it entail? How will it impact the path to ATO or the approaches we take to streamline and accelerate that path? Today, we’ll explore the pilot program and its implications in detail.

Your guide to the FedRAMP 20x pilot program

Plainly put, FedRAMP 20x is a pilot initiative that aims to reduce the time to authorization from years to weeks by removing a central layer of review from the process. It allows businesses to maintain a direct customer relationship with federal agencies, just as they do with their commercial customers, and it allows the FedRAMP Project Management Office (PMO) to take a more hands-off role in assessing security policies.

As FedRAMP Director Pete Waterman explained in the public forum, “The public sector deserves access to modern tools.” The current FedRAMP process is currently so burdensome (“We can’t keep pushing paper,” Waterman said) that most companies won’t even consider it, severely limiting the cloud technologies available to the federal government.

Although Waterman stressed that some details might change, we know that FedRAMP 20x is intended to eliminate several time-consuming facets of the legacy FedRAMP certification process:

• Agency autonomy. Moving forward, an agency simply has to issue an ATO for a vendor’s offering. Agency authorization will carry immediate marketplace recognition, removing a redundant step with the PMO.
• ConMon for certain controls. Monthly reports will only be required for technical controls, not administrative ones.
• Manual attestation. Automation, led by industry and not the federal government, will be implemented to streamline the attestation process for 80% of controls.
• Unnecessary oversight. Automation and continuous monitoring will accelerate the adoption of cloud services, allowing businesses to focus on mission critical tasks instead of years-long ATO processes.

The overall goal of the pilot program is to dramatically reduce authorization timelines and remove bureaucratic barriers to cloud technology adoption. It’s also intended to optimize resources, freeing up security teams to focus on managing risks instead of managing documentation. Additionally, the lower barrier to entry is expected to enable more innovative solutions to enter the federal marketplace.

For RegScale customers and partners, this is excellent news that aligns with our longstanding philosophy: GRC should support, not hinder, innovation in both the public and private sector.

Immediate changes to be aware of

The timeline for the pilot program is fast, with FedRAMP planning to immediately launch community working groups. By early May, they plan to publish draft guidance that can be used for early FedRAMP 20x authorizations.

The old path remains available, but greatly reduced in staff and role. Under FedRAMP 20x, the legacy Rev 5 agency authorization path will remain open indefinitely. However, it’s been deprioritized by the current administration. Beginning in April 2025, FedRAMP will not be providing updated technical assistance or guidance on implementing Rev 5 baselines. Additionally, the FedRAMP Program Management Office (PMO) will stop performing in-depth reviews of Rev 5 packages, instead assuming adequacy based on agency authorization.

Some changes have already begun. The PMO has halted all centralized continuous monitoring of FedRAMP Rev 5 cloud service offerings. Development of program authorization or alternatives to agency authorization for the Rev 5 process has also been halted.

What this means for your organization

It’s important to remember that FedRAMP 20x is being released as a pilot concept — one that will be developed collaboratively with public input from four community working groups. We encourage everyone to join these working groups to shape the conversation around strengthening the federal government’s security posture in a commercially viable way.

The pilot will roll out in phases, beginning with low-impact, cloud-native services that rely on their FedRAMP-authorized host provider, can meet simple requirements with just a few reconfigurations, and have ideally adopted a commercial security framework. It will then gradually expand to include more complex environments and larger service providers with custom infrastructure.

The community working groups will focus on four main topics:

• Rev 5 continuous monitoring: Developing streamlined continuous monitoring standards and simple, standard reports. Meets Monday, March 31.
• Automating assessment: Automating the assessment and enforcement process for technical controls. Meets Wednesday, April 2.
• Applying existing frameworks: Leveraging existing best practices in commercial security frameworks to simplify documentation and risk management. Meets Tuesday, April 8.
• Continuous reporting: Building toward continuous technical attestation models that don’t require FedRAMP as a middleman. Meets Thursday, April 10.    

What should you do next?

For current and prospective cloud service providers navigating these changes, here’s our best advice:

If you’re already authorized: No changes necessary. You’ll continue with the legacy Rev 5 process until the pilot expands to include you.

If you’re already in the FedRAMP process: Stay the course. The legacy Rev 5 process remains available, and the investments you’ve already made will continue to be necessary for your overall compliance posture.

If you were about to get started with FedRAMP: Follow the legacy Rev 5 process. If you’ve got a business case and don’t want to delay your GTM, or if you’ve got a complex architecture that will not fall into Phase 1 above, your best bet is to jump in and not wait for the pilot program.

If you’re considering FedRAMP: Good news! The path to authorization will likely become more streamlined, lowering your barrier to entry. Now is a great time to get your ducks in a row and stay updated on the pilot initiative’s progress. And if you meet the criteria for Phase 1, you should consider volunteering to be part of the pilot.For all organizations: As FedRAMP becomes more efficient and less onerous, we anticipate that more and more of the tech industry will seek certification. You won’t want to be left behind.

Looking ahead: CCM and automation are more important than ever

As the FedRAMP process evolves, we anticipate that Continuous Controls Monitoring (CCM) will become even more critical. While some compliance documentation requirements may decrease, the need for robust, automated security monitoring will only grow.

This is precisely where we’ve been leading the industry. Our AI- and automation-driven platform has always focused on continuous monitoring rather than point-in-time assessments. And our expertise in compliance as code has been supporting customers navigating the regulatory landscape by providing efficiency, accuracy, and scale.

We’re excited about this new chapter in FedRAMP’s evolution and what it means for cloud service providers and federal agencies alike. We hope to see you in the new community working groups — and that you’ll stay tuned for more updates as we continue to enhance our platform to support your GRC journey.