FedRAMP 20x: Meeting the Moment in Government Cloud Compliance

Session Overview

• Current State of Pursuing FedRAMP
• FedRAMP 20x - What Problem is it Trying to Solve?
• Biggest Challenges for CSPs, Agencies, & the FedRAMP PMO
• Strategic Recommendations: Preparing for the Next Era of FedRAMP
• Call to Action

Download Full Presentation (PDF)

What are the Biggest Security Hurdles?

• 64% of organizations struggle with security control remediation, and 61% struggled with security assessment.
• Both security control remediation and FedRAMP PMO review were the leading "extremely difficult" processes (16%), followed by readiness assessment (14%) and security assessment (13%).
• Vast majority of organizations choose to build from greenfield due to the challenges of uplifting commercial instance of their service.

What are the biggest process burdens?

• Manual evidence submissions.
• Slow turnaround on assessments.
• 38% lack of AOs and varying expectations across agencies and 3PAOs.

Introducing FedRAMP 20x: The Vision Forward

Modernize FedRAMP to scale authorization faster, increase automation, and embrace real-time risk evaluation.

Why Now?

• Skyrocketing number of CSPs entering market.
• Cloud-native complexity outpacing manual reviews.
• Agency resource constraints and outdated tooling.
• New technologies: AI, CI/CD, real-time telemetry.

What 20X Aims to Solve

Current Problems

• Manual bottlenecks
• Stale artifacts
• One-size-fits-all approach
• Disjointed processes

20X Solutions

• API-driven submissions & automated testing
• Real-time monitoring & dashboards
• Tailored Key Security Indicators (KSIs)
• Machine readable-evidence (e.g., OSCAL)

Implementation Obstacles for All Stakeholders

• For CSPs
  • Lack of telemetry
  • No standard for machine-readable evidence
  • Immature CI/CD integration
  • Tooling gaps
• For Agencies
  • Readiness gaps for live data
  • Staff trained for checklist audits
  • KSIs are unfamiliar
• For PMO + 3PAOS
  • No consistent scoring models
  • Limited continuous monitoring guidance
  • Resistance to change

Short-Term Moves (What to Start Doing Now)

1. Pilot Key Security Indicators
   • Start small with agency partners and iterate
2. Automate Submissions
   • Shift from emails to API-based delivery
3. Machine-Readable Formats
   • Convert documents and evidence
4. Focus on Verifiable Controls
   • Start with encryption, logging, access management
5. Internal Mapping & Reuse
   • Align controls across frameworks

Long-Term Strategy (What to Build Toward)

• Infrastructure & Standards
  • Standardize KSIs across ecosystem
  • Invest in modern infrastructure
  • Real-time data pipelines
  • Risk Scoring engines
• Process Innovation
  • Adopt federated risk models
  • Support continuous authorization
  • Push for reciprocity (CMMC, DOD RMF, GovRAMP, ISO, etc.)
  • Promote "One Audit, Many Uses"
• Remove agency sponsorship barrier

Final Thought – Our Call to Action

FedRAMP 20x represents the single biggest transformation of cloud authorization in the last decade. But it won't succeed without partnership, automation, and a shared commitment to real-time, risk-driven security.