
Karen Laughton
EVP, Advisory Services, Coalfire
Compliance


With weeks of rumors, the big public announcement of the impending shift to the FedRAMP program happened on March 24, 2025. So, what was it? Essentially it all boils down to, FedRAMP 20X wants to make it easier and cheaper for Cloud Service Providers (CSPs) to sell their services to the federal government via automated validation and leveraging commercial standards. PMO wants to remove themselves as a barrier to agencies adopting cloud services and their role will solely be to set the standards.
Sounds amazing right? I know as Pete Waterman, FedRAMP Program Management Office (PMO) Director, was reading the script, I was singing John Lennon’s, “Imagine” in my head.
Now here is the fine print, GSA/FedRAMP PMO have no idea how to get to this utopia and they want the CSPs to join working groups to figure it out. It already costs millions of dollars for CSPs to achieve FedRAMP compliance and now they are expected to pay for more tools that may or may not work or develop their own capabilities to automate the validation of controls. This is all in the hope that an agency will be ok with whatever validation mechanism the CSP has invested in. Keep in mind, agencies aren’t even being asked to be involved in the working groups that are being established by FedRAMP PMO to figure out how to make this a reality. And if nobody participates in the working groups, FedRAMP 20X is dead on arrival.
I’ve spent the better part of the last decade trying to get agencies to all row in the same direction with FedRAMP and we still have so much work to do. Now with FedRAMP 20X, we are giving them a boat, but we are taking away the oars and hoping they all get to the same destination.
I think GSA is hoping infrastructure providers will be the ones to help bring industry to the promise land of automated validation checks but if I’m an infrastructure provider, I wouldn’t want the liability. If there is a breach to a CSP who uses your validation check mechanism, who’s to blame? How does an agency validate the validation? What does the infrastructure provider get out of it besides risk?
My advice to CSPs remains the same. Stick with the traditional rev. 5 path to achieving FedRAMP compliance. The timelines to achieve FedRAMP have already been drastically lowered even without automation. Why? The 8–12-month FedRAMP PMO review has been eliminated. All you need now is a 3PAO assessment and your first customer to issue you an authorization and voila they will put you in the marketplace.
The concept of agency sponsors is gone because now it is every agency for themselves and since most of them don’t even know that FedRAMP 20X is a thing, it’s business as usual. PMO is no longer managing continuous monitoring, so the idea of reciprocity also goes out the window. An agency never wanted to be the first because they felt like they had to do all the work, but every agency should be doing the same amount of work, because the authorizing official (AO) of one agency, can’t accept risk on behalf of another.
If I was an agency AO and I had a choice between using a CSP who follows the most stringent requirements which have been validated by a 3PAO or a CSP who meets the minimum and wants me to validate that their supposed automated validation checks are actually valid, I’m picking the 3PAO validation all day long.
There has never been a breach under the old-fashioned way. All I have to do as an AO is review a Plan of Action and Milestones (POA&M) on a monthly basis and then move on with my day. If the agency required the CSP to implement secure design principles, significant change requests become moot.
Leveraging commercial standards sounds great, but who is validating those policies and procedures are being applied to the operating environment the AO is being asked to authorize? The documentation is not the important part, the validation is. I would still recommend that CSPs design to the higher bar because even if your first agency is ok with a lower bar, the next one may not be and now you must reconfigure your solution to meet those requirements. Using your commercial environment sounds ideal but what happens if you encounter an agency who has more stringent requirements, like no non-US-persons in production or no non-FedRAMP compliant third-party solutions in your ecosystem? You are now limiting your market to those agencies who have a lower bar.
Are there areas ripe for automation? Yes! Documentation development is a great example of that. Do we all want to evolve and simplify the process? Yes, but as I stated in my previous blog, there is a better way to get there and I encourage CSPs, 3PAOs, and most importantly agencies to participate in the working groups being established by the FedRAMP PMO so we can help reshape the program without destroying the efficiency it was originally meant to bring.
I’ll leave you with some questions we should all be asking ourselves and within the working groups:
Join us at the PCI Community Meeting September 16-18, where Coalfire will be showcasing our latest advancements in cybersecurity and compliance.
Learn more