Session Presentation
FedRAMP 20x: Meeting the Moment in Government Cloud Compliance



Explore critical perspectives and strategic insights on government cloud compliance and security in our RAMPcon 2025 "Navigating the Future of FedRAMP & Cloud Security" presentations, featuring keynotes from leading industry innovators.

Session Overview
- Current State of Pursuing FedRAMP
- FedRAMP 20x - What Problem is it Trying to Solve?
- Biggest Challenges for CSPs, Agencies, & the FedRAMP PMO
- Strategic Recommendations: Preparing for the Next Era of FedRAMP
- Call to Action
Download Full Presentation (PDF)
What are the Biggest Security Hurdles?
- 64% of organizations struggle with security control remediation, and 61% struggled with security assessment.
- Both security control remediation and FedRAMP PMO review were the leading "extremely difficult" processes (16%), followed by readiness assessment (14%) and security assessment (13%).
- Vast majority of organizations choose to build from greenfield due to the challenges of uplifting commercial instance of their service.
What are the biggest process burdens?
- Manual evidence submissions.
- Slow turnaround on assessments.
- 38% lack of AOs and varying expectations across agencies and 3PAOs.
Introducing FedRAMP 20x: The Vision Forward
Modernize FedRAMP to scale authorization faster, increase automation, and embrace real-time risk evaluation.
Why Now?
- Skyrocketing number of CSPs entering market.
- Cloud-native complexity outpacing manual reviews.
- Agency resource constraints and outdated tooling.
- New technologies: AI, CI/CD, real-time telemetry.
What 20X Aims to Solve
Current Problems
- Manual bottlenecks
- Stale artifacts
- One-size-fits-all approach
- Disjointed processes
20X Solutions
- API-driven submissions & automated testing
- Real-time monitoring & dashboards
- Tailored Key Security Indicators (KSIs)
- Machine readable-evidence (e.g., OSCAL)
Implementation Obstacles for All Stakeholders
- For CSPs
- Lack of telemetry
- No standard for machine-readable evidence
- Immature CI/CD integration
- Tooling gaps
- For Agencies
- Readiness gaps for live data
- Staff trained for checklist audits
- KSIs are unfamiliar
- For PMO + 3PAOS
- No consistent scoring models
- Limited continuous monitoring guidance
- Resistance to change
Short-Term Moves (What to Start Doing Now)
- Pilot Key Security Indicators
- Start small with agency partners and iterate
- Automate Submissions
- Shift from emails to API-based delivery
- Machine-Readable Formats
- Convert documents and evidence
- Focus on Verifiable Controls
- Start with encryption, logging, access management
- Internal Mapping & Reuse
- Align controls across frameworks
Long-Term Strategy (What to Build Toward)
- Infrastructure & Standards
- Standardize KSIs across ecosystem
- Invest in modern infrastructure
- Real-time data pipelines
- Risk Scoring engines
- Process Innovation
- Adopt federated risk models
- Support continuous authorization
- Push for reciprocity (CMMC, DOD RMF, GovRAMP, ISO, etc.)
- Promote "One Audit, Many Uses"
- Remove agency sponsorship barrier
Final Thought – Our Call to Action
FedRAMP 20x represents the single biggest transformation of cloud authorization in the last decade. But it won't succeed without partnership, automation, and a shared commitment to real-time, risk-driven security.
Log Out + Link Up at Coalfire's Black Hat Happy Hour!
Join Coalfire® for an exclusive happy hour at ORLA, Mandalay Bay’s modern Mediterranean oasis. We're taking over the space to bring you an evening of refreshing beverages, savory bites, and standout conversations, just steps away from the conference.
Register Now