FedRAMP 20x
'Keep Calm and Authorize On'

Overview: The FedRAMP Program Management Office (PMO) has announced “FedRAMP 20x”, a major modernization of the federal cloud security authorization process. This update is meant to streamline compliance, reduce bureaucracy, and speed up approvals for Cloud Service Providers (CSPs) and their security partners (including Managed Security Service Providers, MSSPs) 

​

Below is a summary of what’s changing, what stays the same for now, and how to plan ahead. 

​

No Immediate Changes to Your Compliance Status 

​

Good news! No immediate new actions or changes are required for CSPs in the middle of FedRAMP authorization or already authorized. All existing FedRAMP paths and approvals remain valid for now. In fact, the FedRAMP PMO has confirmed that the current Agency-sponsored authorization process (using the FedRAMP Rev. 5 baseline) remains the only active path for achieving FedRAMP authorization “until a formal end-of-life timeline is announced.” 

​

This means: 

• If you’re already FedRAMP authorized, your authorization remains in effect (it will simply be labeled as a Rev 5 authorization until you choose to transition to a new “20x” baseline in the future). There is no need to re-authorize or change anything right now. 

• If you’re currently in process (working toward an Agency Authority to Operate, or ATO), continue as planned. No new compliance steps have been introduced yet, and the existing FedRAMP documentation/templates and Rev 5 controls are still the standard. 

• If you’re just starting out on FedRAMP, the Rev 5 Agency ATO route is still the way to go today. FedRAMP 20x is being rolled out gradually (with pilots and working groups in 2025), so currently new streamlined processes are not available for general use. 

 

Official word from FedRAMP: “In the meantime, existing baselines will remain in place and there are no immediate changes to the program.” The focus in early 2025 is on planning and collaboration rather than forcing any sudden shifts. So, no compliance deadlines or surprise requirements have been imposed in the near term.

​

What is FedRAMP 20x and Why the Change? 

FedRAMP 20x is being described as “a fundamental transformation” of the FedRAMP program. It’s not just a routine annual update – it’s an overhaul aimed at making federal cloud security faster, simpler, and more automated. A few driving factors behind this initiative:

 

• Long Authorization Timelines: Under the old process, getting FedRAMP approval could take 6–18 months or even longer, which frustrated both industry and agencies. FedRAMP 20x’s goal is to cut approval times from “months or years to weeks” by automating assessments and eliminating bottlenecks. 

​

• High Costs and Complexity: Achieving FedRAMP has been very costly and paper-intensive, which smaller providers found prohibitive. 

 

The new approach aims to reduce manual paperwork and rely on existing industry security work, so compliance isn’t an ordeal only a huge company can afford. 

• Keeping Up with Cloud Innovations: The cloud ecosystem and security practices have evolved (DevOps, real-time monitoring, etc.), but FedRAMP’s traditional process has not fully kept pace. FedRAMP 20x is about aligning with modern, cloud-native security – think continuous monitoring, APIs, real-time dashboards – rather than static documents and one-size-fits-all checklists. 

​

• Legislation and Policy Push: Congress formally codified FedRAMP via the FedRAMP Authorization Act in late 2022, and OMB’s July 2024 memo M-24-15 set a new vision to “significantly scale” the program and increase efficiency through automation. There’s top-level support to make FedRAMP a “security-first” program that trusts proven solutions and avoids redundant effort. (For example, OMB introduced a “presumption of adequacy” – if one agency has authorized a cloud product, other agencies should generally trust that authorization. 

 

In short, FedRAMP 20x is about modernizing FedRAMP for the 2020s (“20x” is a nod to the year, as the framework will be updated annually: 2025, 2026, etc.). The aim is a FedRAMP process that keeps pace with technology, reduces burden on businesses, and gets security tools to agencies faster. As one GSA official put it, “FedRAMP 20x represents our commitment to cutting through complexity, empowering innovation, and ensuring that security keeps pace with technological advancement.” 

​

Major Changes Coming with FedRAMP 20x 

While nothing drastic happens overnight, FedRAMP 20x introduces several big shifts in how cloud security authorizations will work. Here are the key changes to be aware of: 

​

• 1. Increased Automation of Security Checks: The new model will replace much of the manual review and documentation with automated, machine-readable validations. Over “80% of security requirements” are expected to be testable via automation (scans, scripts, APIs) rather than lengthy Word documents. For example, instead of writing a narrative explaining your encryption settings, you might run a tool that automatically verifies all data is encrypted and provides a real-time report. “Machines will handle validation instead of humans going through spreadsheets.” 

​

• 2. Continuous Monitoring via Dashboards: Real-time monitoring will replace many periodic or point-in-time activities. CSPs will be expected to provide agencies with live security data – for instance, security dashboards or trust portals showing system status, compliance drift, and incidents in real time. The goal is that agencies can continuously verify security postures via these feeds, rather than relying on monthly reports or annual re-assessments. This is a shift to a “continuous compliance” mindset – more like an ongoing health monitor than an annual check-up. 

​

• 3. Less Red Tape & Faster Authorizations: FedRAMP 20x is simplifying the process to approve cloud services in weeks instead of interminable months. One way is by dropping the requirement for an agency sponsor in some cases. Eventually, a CSP will “no longer [need] a federal agency to sponsor” their FedRAMP package for certain low risk services. 

​

• 4. Greater Use of Existing Security Certifications: The new approach will “inherit best-in-class commercial security frameworks”. This means FedRAMP will accept evidence from standards like SOC 2, ISO 27001, or PCI to satisfy many requirements, instead of making you rewrite everything in a FedRAMP-specific format. If you already maintain robust security policies and audits for the private sector, FedRAMP 20x wants to leverage that. “Redundant government-specific documentation” will be pared down, with only minimal FedRAMP-specific addenda. For CSPs, this could mean uploading your existing policies and letting an automation tool map them to FedRAMP controls, rather than starting from scratch. 

​

• 5. Decentralized Continuous Monitoring (ConMon): Ongoing monitoring of authorized cloud systems will shift away from FedRAMP’s centralized oversight to the agencies and providers themselves. Notably, the FedRAMP PMO is stopping its own “continuous monitoring” for JAB-authorized systems after March 2025. Going forward, agencies that use a cloud service will take responsibility for monitoring that service’s security, working directly with the CSP. The intent is to make ConMon more tailored and flexible: “making continuous monitoring more decentralized and based on the CSP’s terms.” CSPs will likely provide standardized data feeds or dashboards to all their federal customers so each agency can see security status in real time. The FedRAMP team will convene a working group with industry to define how this decentralized monitoring should work, ensuring consistency. 

​

• 6. FedRAMP PMO’s Evolving Role: The FedRAMP PMO is slimming down and changing focus. Instead of acting as a heavy-handed reviewer or middleman for every package, the PMO will focus on setting standards, automating processes, and helping clear bottlenecks. In fact, FedRAMP announced it will no longer do the intensive “triple check” reviews of security packages after March 2025. In practical terms, this means once you prepare your authorization package, the thorough review will be done by your sponsoring agency (and eventually by automated tools) – the FedRAMP office won’t be adding extra months of review on top. The PMO is reallocating resources toward hiring technical experts (engineers, data scientists) and building automation tools. They’ve even launched a developer hub (automate.fedramp.gov) to support the creation of machine-readable FedRAMP packages. All of this indicates the PMO’s new mission is to “clear the way” for faster authorizations rather than scrutinize each detail. 

​​

• 7. Community Collaboration (Working Groups): A cornerstone of FedRAMP 20x is that it will be built “entirely in public” with industry input. GSA stood up four FedRAMP 20x Community Working Groups in late March 2025. These groups (open to experts from industry, agencies, and other stakeholders) are tackling topics like refining Rev 5 continuous monitoring, designing automated assessment methods, integrating commercial frameworks, and defining continuous reporting standards. Instead of FedRAMP dictating all the “how,” they are asking the community to propose solutions – “CSPs will propose security standards, automation methods, and monitoring strategies and government agencies will validate that these meet federal requirements”. This is a big culture change: FedRAMP is shifting to an industry-led compliance model where the government sets outcome-focused requirements and industry helps figure out the best way to meet them. For CSPs and MSSPs, this means you have an opportunity to shape the future program (additionally you have a responsibility to adapt to new best practices that emerge from these groups). 

 

It’s about trusting automated evidence, letting agencies and vendors work directly together, and continuously improving standards each year. 

 

Official Guidance and Timeline Highlights 

To help you plan, here’s a timeline of key FedRAMP 20x milestones and official guidance releases: 

• July 2024: OMB published Memo M-24-15 Modernizing FedRAMP, which set the strategic direction for these changes. It established a new FedRAMP Board (replacing the old Joint Authorization Board) to oversee the program, emphasized scaling the FedRAMP Marketplace, and introduced the “presumption of adequacy” (requiring agencies to reuse existing FedRAMP authorizations as much as possible). This memo signaled to all agencies that FedRAMP would become more mandatory and uniform across government. 

• Late 2024: FedRAMP PMO began reorganizing according to the new policy – hiring technical staff, forming a Technical Advisory Group, and piloting an “agile” review process for cloud providers’ significant updates. (This pilot allows some CSPs to roll out new features without the old lengthy “Significant Change Request” approval, foreshadowing how FedRAMP 20x will handle continuous improvement.) 

​

• March 24, 2025: FedRAMP 20x officially announced. GSA’s FedRAMP team unveiled the initiative at an industry event in D.C., accompanied by a press release and a detailed FedRAMP.gov blog post. On this date, the FedRAMP website launched new pages for FedRAMP 20x (explaining goals), 20x FAQs, Community Working Groups, and an Engagements calendar. This is essentially “Day 1” of the transformation initiative. 

​

• Late March – April 2025: Community Working Groups launch. Four groups were scheduled to kick off between March 31 and April 10, 2025, each focusing on a key area (Continuous Monitoring under Rev.5, Automating Assessments, Applying Existing Frameworks, and Continuous Reporting). During this period, FedRAMP officials are holding public forums (on GitHub, Zoom, industry conferences) to gather input and answer questions. This is a discovery and design phase, where a lot of the future processes will be shaped. FedRAMP encourages all interested parties to participate or at least follow along (materials are posted publicly). 

​

• End of April 2025: Clearing the backlog. One of FedRAMP’s immediate goals is to eliminate the backlog of pending authorizations by April’s end. The PMO is focusing resources to get through any stuck Rev 5 packages (so if you’ve been awaiting a review, there’s a push to finish those). After April, the PMO will continue processing new Rev 5 Agency authorizations on demand, but with the changes noted (no FedRAMP “triple check” and agencies taking more ownership). 

​

• Throughout 2025: Phase One – Pilot and Iterate. FedRAMP will be developing the new 20x framework in the open. As the working groups produce recommendations, FedRAMP will likely issue draft guidance documents for public comment (e.g., new templates or criteria). Guidance for using any new approach will be rolled out gradually on a rolling basis once validated by pilots. In other words, 2025 is a transition year: agencies and CSPs stick to the current process while contributing to (or observing) the building of the next-gen process. 

​

• Early 2026: First FedRAMP “20x” Update Release. FedRAMP plans to shift to annual updates (hence the “20x” naming). By late 2026, we expect FedRAMP 2026 – the first yearly update – to be released, replacing the old Rev 5 baseline with a new set of streamlined requirements. This annual release cycle will allow security requirements to evolve continuously rather than waiting 3-5 years for a big revision. Going forward, you can expect “FedRAMP 2027,” “FedRAMP 2028,” etc., each year – similar to software versioning. This ensures the program stays current with emerging threats and technologies. 

​

• Transition Period: Even after new 20x baselines come out, there will be a grace period for transitioning. All existing FedRAMP-authorized offerings will continue to be recognized (as Rev.4/Rev.5) until they choose to update to a newer baseline. We anticipate FedRAMP will announce an end-of-life date for the old process once the new one is fully tested and ready. This hasn’t happened yet, however the FedRAMP PMO has promised to give ample notice so companies can plan their transition. 

 

Where to find official info: FedRAMP is committed to transparency during this overhaul. They have published a set of resources to track progress and answers. Key ones include the FedRAMP 20x FAQ page (which addresses common questions and will be updated regularly), the FedRAMP blog (recent posts like “FedRAMP in 2025”and “The Next Phase of FedRAMP”give insight into strategy), and the Changelog on fedramp.gov that logs significant updates. We will continue monitoring these and will pass along any important new guidance. 

​

Impact on Your Authorization Journey and Continuous Monitoring 

For those on the path to FedRAMP approval (or maintaining it), here’s how FedRAMP 20x will affect you: 

​

• Path to Authorization: In the near term, nothing changes about “how to get authorized.” You still need an agency ATO sponsor and to implement the Rev 5 controls, etc. In the future, entirely new entrants might be able to apply to FedRAMP for an authorization without a sponsor (especially for Low impact SaaS offerings). But those criteria are not live yet. We’ll let you know when/if a “no-sponsor” route becomes available for broad use. The key takeaway: keep working with your agency partners for now but know that FedRAMP is aiming to make the onboarding process easier and faster. 

​

• Use of Existing Authorizations: One benefit you’ll see: agencies are being directed to trust existing FedRAMP authorizations more uniformly. If your service is FedRAMP-authorized by one agency, other agencies should not force you through redundant steps. OMB’s policy basically says a FedRAMP authorization is “presumed adequate” for reuse government-wide. We expect this to simplify customer acquisition – it should become easier to leverage your Marketplace listing and package when expanding to new agency customers (fewer unique control requirements or paperwork per agency). FedRAMP 20x’s emphasis on direct agency-provider engagement will also let you address any agency-specific needs more straightforwardly, rather than via the PMO. 

​

• Continuous Monitoring Changes: If you have a FedRAMP ATO, you’re familiar with monthly reporting, annual assessments, and significant change requests. These processes will evolve:

  • ​Monthly/Quarterly Reporting → Real-Time Data: Instead of sending periodic scan results or reports to the FedRAMP PMO, you will likely provide continuous access to security data for your federal customers. For example, you might grant agencies access to an online dashboard or automate feed of your vulnerability scans, configurations, and incident status. FedRAMP 20x envisions that by 2026, agencies will have “direct visibility into CSP security dashboards” and can self-certify updates without FedRAMP needing to review every change. 

  • Significant Changes: Under the legacy process, any major change (like adding a new service feature or major architecture change) required a FedRAMP review and approval (Significant Change Request). Going forward, FedRAMP intends to eliminate separate FedRAMP approval for most updates. Agencies and CSPs will handle changes directly. This means more freedom to innovate continuously. By 2026, if your change management processes are solid and your automated controls are in place, you should be able to update your cloud service quickly and just show the evidence of security to agencies (as opposed to asking permission via paperwork). 

  • ​Annual Assessments: The traditional annual re-assessment by a Third Party Assessor (3PAO) maybe phased out or significantly modified. FedRAMP 20x’s goal is to move to **“real-time updates”instead of point-in-time rechecks. In the future, compliance will be an ongoing process (withcontinuous scans and control enforcement) rather than a big yearly event. This could eventuallyreplace the yearly assessment with an ongoing validation, saving time and cost. Until newguidelines are out, continue your annual assessments as required, but know that FedRAMP isworking toward a model where security is verified by tooling everyday rather than by auditorsonce a year.

  • ConMon Responsibility: If you received a JAB P-ATO in the past, the FedRAMP JAB (now FedRAMPBoard) used to do some centralized continuous monitoring of those systems. That centralizedfunction is ending as of March 2025 – now the authorizing agency must take full ownership ofmonitoring those systems. For CSPs, this means you’ll coordinate more with your agencies’security teams for ongoing reviews. Expect agencies to possibly ask for more data or access fortheir oversight. (If Project Hosts is involved in any centralized FedRAMP monitoring on yourbehalf, we will ensure a smooth handoff or continuation under the new model.

• Future Baselines (Moderate/High): Initially, FedRAMP 20x is focusing on relatively cloud-native, SaaS, Low impact services (especially those built on top of already FedRAMP-approved infrastructure like AWS, Azure, GSS One etc.). Moderate and High Impact systems and more complex architectures will still use the existing manual processes for a while longer. Over time, however, even high-impact offerings will be brought into the new streamlined framework. FedRAMP might roll out the new approach in phases or pilots by impact level. We’ll keep an eye on baseline-specific guidance (e.g., if you operate a High system, when can you transition to “FedRAMP 20x High”). For now, FedRAMP High remains on Rev 5 and will incrementally benefit from any automation improvements until a new process covers it

 

Bottom line: Your FedRAMP ATO is safe and sound; just be prepared for a shift in how you maintain it. 

​

Practical Takeaways and Next Steps for You 

To ensure you’re ready for FedRAMP 20x’s changes, here are some practical steps and takeaways for CSPs and MSSPs: 

• Stay the Course on Rev 5 Compliance: If you’re currently pursuing FedRAMP or maintaining it, continue tofollow your existing security baseline and keep up with Continuous Monitoring under current guidelines.There’s no new framework to switch to yet, so maintain your documentation, updates, and reporting asbefore.

• Prepare for Automation and APIs: Begin evaluating your environment for automation readiness. FedRAMP20x will use APIs and automated tools (e.g., scripts) to pull evidence. Project Hosts has been working onsolutions for this over the past several years and will be able to assist in this process.

• Follow FedRAMP 20x Developments: Keep an eye on the working group outputs and FedRAMP’sannouncements. Consider joining the FedRAMP community Slack or GitHub discussions if available, orsimply track the FedRAMP.gov Engagements page for upcoming webinars. We will continue to update you,but it’s also useful to hear first-hand what new automation guidelines or security reference architectures are emerging from these groups. Public draft guidance will be released for comment – if you have strong feelings about a proposed change, you’ll have a chance to weigh in officially. 

• Be Ready for Change (But Not Overwhelmed): FedRAMP 20x will be an iterative journey. There may be tweaks and adjustments as the community pilots new ideas. The best approach is to stay agile and adaptive. In practice, this means regularly reviewing FedRAMP releases each year and adjusting your controls/policies accordingly which we will of course help you with. 

 

GSS One Console 

Our GSS One Console—a FedRAMP-authorized component of our PaaS—already gives both agency and CSP customers a central hub for seamlessly managing their FedRAMP requirements. From storing and updating System Security Plans (SSPs) and related appendixes, to handling POA&Ms, vulnerability scans, security incidents and alerts and even red teaming activities, this console offers a comprehensive suite of tools tailored specifically for continual monitoring (ConMon). Because we’ve designed GSS One Console with the principle of “real-time compliance” in mind, organizations can efficiently track incidents, manage required training, maintain current contacts, and link controls to their relevant evidence or artifacts. This streamlined approach not only saves time but also reduces the complexity and costs often associated with manual FedRAMP documentation and reporting. As FedRAMP 20x evolves to emphasize greater automation, real-time data, and overall process efficiency, GSS One Console is well positioned to help you adapt quickly. We’ll continue enhancing its features and functionality, whether that means expanding automated continuous monitoring capabilities or adding more robust dashboards to align with forthcoming guidelines. Our goal is to ensure every customer experiences a smooth transition to the next phase of FedRAMP by onboarding them to improved workflows in the console. We’re excited to keep investing in GSS One Console so you can focus on delivering secure, innovative solutions, all while maintaining full confidence in your FedRAMP compliance posture. 

​

Closing Thought 

We at Project Hosts, Inc. are committed to guiding you through this FedRAMP evolution. The tone from the top is that FedRAMP’s core mission isn’t changing, security and trust in cloud services remain the top priority, but the methods to get there will be more efficient. Our plan is to incorporate these new automation and continuous monitoring practices into our offerings, so that our customers can seamlessly meet any new FedRAMP 20x requirements as they become official. 

Please don’t hesitate to reach out with any questions or concerns. This update is meant to reassure you that no immediate action is required and to inform you of what’s on the horizon. We will continue to keep you updated with guidance as FedRAMP 20x evolves. 

​

As the FedRAMP Director Pete Waterman said, “Keep calm and authorize on.” 

​

To learn more about these changes, Contact Us Below.