GSA launches FedRAMP revamp

The General Services Administration launched FedRAMP 20x Monday, an effort it is pursuing with industry to use more automation and cut red tape around the government’s cloud security assessment and authorization program. 

The Federal Risk and Authorization Management Program, or FedRAMP, is used to ensure services offered by cloud providers meet certain cybersecurity requirements before government agencies can use them.

“Our partnership with the commercial cloud industry needs serious improvement. Strengthening this relationship will help us fulfill our commitment to cutting waste and adopting the best available technologies to modernize the government’s aging IT infrastructure,” Stephen Ehikian, acting administrator of the General Services Administration, which runs FedRAMP, said in a statement. “FedRAMP 20x will give agencies access to the latest technology now — not months or years down the road.”

A major focus of the change is moving from manual compliance checklists to automated security validations, as Nextgov/FCW reported last week. The goal is to have automated validation for over 80% of the program’s security requirements, as opposed to written explanations, GSA says. Instead of annual assessments, there will be automated checks.

The legislation officially authorizing FedRAMP, included in the 2023 must-pass defense policy bill, also tasked the program with speeding up cloud authorizations by using automation, a to-do item that was also included in revamped guidance for the program last summer.

GSA is also getting rid of requirements for a federal agency sponsor for simple, low-impact service offerings and is aiming to finish authorization in weeks for most cloud offerings, it says.

The updates to the program come as the team running it — and its budget — has shrunk as GSA writ large sheds employees, FedRAMP director Pete Waterman acknowledged at an industry event on Monday before emphasizing the need for change. 

“The reality is that FedRAMP is so expensive and burdensome right now that most companies never consider it,” he said. “FedRAMP today is not meeting our needs… Why is it so hard? It’s because FedRAMP is rooted in the past.”

Rep. Gerry Connolly, D-Va., the top Democrat on the House Oversight and Government Reform Committee and author of the FedRAMP Authorization Act, told Nextgov/FCW that the Trump administration hasn’t yet consulted Congress on these changes, calling it “a radical departure from the longstanding partnership between Congress and the Executive Branch on this issue.”

“The Administration must provide clear assurance that it will result in effective and rigorous security outcomes,” he said.

On the contractor side, David Appel, Vice President of U.S. Federal at AWS, told Nextgov/FCW that “AWS looks forward to working with GSA as they modernize the program and drive updated security practices.”

“Google welcomes FedRAMP 2025’s focus on maximizing automation and zero trust to make the best technology rapidly and securely available for federal government use,” said Chris DeRusha, Director of Global Public Sector Compliance for Google Cloud.

“Increased government efficiency and transformation are imperative for all agencies as they work to modernize legacy technology, streamline complex processes, and improve operations. ServiceNow strongly supports streamlining the FedRAMP program, which will expedite the adoption of secure, innovative technologies across government,” a ServiceNow spokesperson said. 

 This story is breaking and may be updated. 

Frank Konkel contributed to this report.