FedRAMP 20X: A Bold Vision or a Risky Bet?

Sounds amazing right?  I know as Pete Waterman, FedRAMP Program Management Office (PMO) Director, was reading the script, I was singing John Lennon’s, “Imagine” in my head. 

Now here is the fine print, GSA/FedRAMP PMO have no idea how to get to this utopia and they want the CSPs to join working groups to figure it out.  It already costs millions of dollars for CSPs to achieve FedRAMP compliance and now they are expected to pay for more tools that may or may not work or develop their own capabilities to automate the validation of controls. This is all in the hope that an agency will be ok with whatever validation mechanism the CSP has invested in. Keep in mind, agencies aren’t even being asked to be involved in the working groups that are being established by FedRAMP PMO to figure out how to make this a reality.  And if nobody participates in the working groups, FedRAMP 20X is dead on arrival. 

I’ve spent the better part of the last decade trying to get agencies to all row in the same direction with FedRAMP and we still have so much work to do.  Now with FedRAMP 20X, we are giving them a boat, but we are taking away the oars and hoping they all get to the same destination. 

I think GSA is hoping infrastructure providers will be the ones to help bring industry to the promise land of automated validation checks but if I’m an infrastructure provider, I wouldn’t want the liability.  If there is a breach to a CSP who uses your validation check mechanism, who’s to blame?  How does an agency validate the validation?  What does the infrastructure provider get out of it besides risk?

My advice to CSPs remains the same. Stick with the traditional rev. 5 path to achieving FedRAMP compliance.  The timelines to achieve FedRAMP have already been drastically lowered even without automation.  Why?  The 8–12-month FedRAMP PMO review has been eliminated.  All you need now is a 3PAO assessment and your first customer to issue you an authorization and voila they will put you in the marketplace.  

The concept of agency sponsors is gone because now it is every agency for themselves and since most of them don’t even know that FedRAMP 20X is a thing, it’s business as usual. PMO is no longer managing continuous monitoring, so the idea of reciprocity also goes out the window.  An agency never wanted to be the first because they felt like they had to do all the work, but every agency should be doing the same amount of work, because the authorizing official (AO) of one agency, can’t accept risk on behalf of another. 

If I was an agency AO and I had a choice between using a CSP who follows the most stringent requirements which have been validated by a 3PAO or a CSP who meets the minimum and wants me to validate that their supposed automated validation checks are actually valid, I’m picking the 3PAO validation all day long.  

There has never been a breach under the old-fashioned way. All I have to do as an AO is review a Plan of Action and Milestones (POA&M) on a monthly basis and then move on with my day. If the agency required the CSP to implement secure design principles, significant change requests become moot. 

Leveraging commercial standards sounds great, but who is validating those policies and procedures are being applied to the operating environment the AO is being asked to authorize?  The documentation is not the important part, the validation is. I would still recommend that CSPs design to the higher bar because even if your first agency is ok with a lower bar, the next one may not be and now you must reconfigure your solution to meet those requirements.  Using your commercial environment sounds ideal but what happens if you encounter an agency who has more stringent requirements, like no non-US-persons in production or no non-FedRAMP compliant third-party solutions in your ecosystem?  You are now limiting your market to those agencies who have a lower bar. 

Are there areas ripe for automation?  Yes! Documentation development is a great example of that.  Do we all want to evolve and simplify the process?  Yes, but as I stated in my previous blog, there is a better way to get there and I encourage CSPs, 3PAOs, and most importantly agencies to participate in the working groups being established by the FedRAMP PMO so we can help reshape the program without destroying the efficiency it was originally meant to bring.

I’ll leave you with some questions we should all be asking ourselves and within the working groups:

• What happens when a program sets ambitious goals for automation and decentralization but doesn’t yet have a clear roadmap to get there?
• Can an initiative succeed if its success depends on voluntary participation from stakeholders who weren’t included in shaping it?
• How might the cost burden shift for Cloud Service Providers under a system that requires them to invest in building or purchasing automation tools without any guarantee that those tools will be accepted by authorizing agencies?
• What incentives exist for vendors or infrastructure providers to take on the liability of validating other vendors’ security claims?
• Can automated validation work effectively without a universal agreement on what "valid" means and who gets to decide that?
• If validation mechanisms become decentralized, how do agencies ensure they're not duplicating effort or exposing themselves to inconsistent risk assessments?
• If each agency now operates independently under FedRAMP 20X, what replaces the shared accountability and trust that used to come from PMO-managed continuous monitoring and reciprocity?
• In a world without standardized continuous monitoring, how can we ensure that security assurance doesn't vary wildly between federal consumers?
• From an agency Authorizing Official’s perspective, what’s the safer bet: relying on a time-tested 3PAO-validated package or being the first to trust a vendor’s self-attested, automated control check?
• How might the perception of risk influence agency decisions when the validation process becomes less centralized?
• Are we focusing too much on whether automation is possible, and not enough on where it makes sense?
• What tasks in the FedRAMP process are actually ripe for automation and which ones still require deep contextual judgment?
• Could designing your solution to meet only the minimum bar actually restrict your long-term market access in federal space?
• What happens if a CSP designs around relaxed, commercial-equivalent requirements, only to discover their next agency customer has stricter needs like U.S. citizenship requirements or bans on non-FedRAMP compliant third-party cloud services?
• Can a transformation effort succeed if it lacks a feedback loop between the people creating the new framework and the agencies expected to adopt and trust it?
• How does the absence of agencies in the working groups affect the legitimacy and practicality of any proposed changes?

 To receive more details, please Contact Us.