FedRAMP 20x: Five Key Takeaways for the Government Sector

This guest blog was contributed by Ari Mojiri, Director, GRC Office, at Drata The simpler it is to comply with government regulations, the easier it becomes to bring efficiency and innovation into the government sector.

That’s why FedRAMP 20x, a new initiative that aims to help businesses achieve FedRAMP authorization faster and at a fraction of the cost, should be welcome news to government agencies and contractors. The update, which is the work of an efficiency-focused team, promises to help address some of the outdated processes that have historically made it challenging to innovate quickly in the government space.

That said, the question now looming before the government sector is the extent to which FedRAMP 20x will actually impact businesses. The initiative remains new, but it has already introduced a pilot program to fast-track the FedRAMP Low authorization process. 

I can’t predict the future with any greater promise of accuracy than anyone else. But as someone who has helped many businesses (in the government sector and beyond) automate and modernize their compliance operations, I’ve been watching FedRAMP 20x closely. I have some thoughts about what it will mean and how businesses should react.

Here are five key takeaways about FedRAMP 20x.

1. FedRAMP requirements remain unchanged

Perhaps the biggest fact to bear in mind about FedRAMP 20x is that it is not meant to water down the necessary security posture that organizations must demonstrate to gain FedRAMP authorization. The initiative simply aims to streamline the bureaucratic processes associated with FedRAMP, while operating within the same statutory requirements, if not to strengthen them.

Thus, it would be a mistake to think that the new initiative will allow businesses to have less accountability. On the contrary, implementing, documenting and auditing healthy cybersecurity practices remain as critical as ever for FedRAMP certification. 

The Phase One Pilot Program is expected to launch by the end of May with FedRAMP Low authorizations beginning in June. According to the initiative, the pilot will examine the effectiveness of continuous security assessments via automated validation versus “the need for a traditional control-by-control narrative approach.” To qualify, organizations will have to demonstrate “continuous, automated validation” of Key Security Indicators (KSIs), which are meant to provide a simpler approach to satisfying critical security capabilities. That said, the KSIs are still in alignment with NIST SP 800-53 requirements.

2. The government IT services ecosystem will grow more competitive
   

Because the FedRAMP authorization process has traditionally been complex, smaller cloud service providers (CSPs) often struggled to become authorized. As a result, they weren’t always able to offer solutions to government agencies.

I expect that FedRAMP 20x will change this. By making it easier for smaller CSPs and other technology providers to gain FedRAMP authorization, the change will increase the number of businesses that can compete for government contracts and subcontracts. This could also be a good thing from the perspective of government agencies because it will afford them more choice when selecting technology partners.

3. FedRAMP 20x will impact different agencies in varying ways
   

A caveat to the point I just made is that there is likely to be wide variation in the extent to which different government agencies can benefit from increased competition as a result of FedRAMP 20x.

Although FedRAMP allows for the reuse of a CSP’s security package by other agencies once an ATO has been granted by one agency, each agency can still impose different requirements on its vendors and suppliers (i.e., the risk threshold varies from agency to agency), not to mention a different level of authorizationSome technology providers are likely to find it easier than others to clear the compliance hurdles necessary to  get authorized by different agencies, even with the help of FedRAMP 20x.

4. FedRAMP 20x will encourage efficiency in all compliance contexts
   

FedRAMP only applies to the U.S. federal government sector, and changes to the authorization process have no direct bearing on businesses that operate in other verticals. Still, by making efficient authorizations a priority for FedRAMP, a particularly complex compliance program, FedRAMP 20x may encourage other regulators to streamline their certification requirements, too.

This is likely to be especially true for compliance frameworks that are modeled on FedRAMP, such as StateRAMP and TX-RAMP, which apply to state-level government agencies. This means that FedRAMP 20x may indirectly benefit businesses that operate in non-federal government sectors, too, by making it easier for them to achieve the authorizations they need to serve agencies.

That said, FedRAMP 20x is also likely to reflect or embody innovations made by some of these other frameworks. For example, by examining the efficacy of other security standards that could fully or partially fulfill FedRAMP requirements, FedRAMP 20x is working to facilitate the process for CSPs who already are in compliance with these standards without the need for duplicate efforts. While this may seem as if it should have been an obvious process, it is important to remember that it could also impact the reusability of a security package from one agency to another. So, much remains to be examined and resolved.

5. Risk management, governance and compliance modernization remain critical
   

The overarching trend within the compliance space writ large is toward ever-increasing complexity. In response, businesses should modernize and automate as many parts of their GRC programs wherever possible.

Practices like centralizing the documentation of cybersecurity processes, automating evidence collection and continuously monitoring and validating controls are critical for achieving and maintaining a FedRAMP authorization – as well as for addressing the various other compliance regulations and frameworks that govern businesses’ ability to perform certain types of work. FedRAMP 20x seems to incorporate these ideas and is looking to industry collaboration to implement these solutions, from automated processes to continuous monitoring.

The bottom line: While the federal government’s risk appetite has not changed, and the overall compliance landscape remains complex, FedRAMP 20x is a welcome change that promises to simplify FedRAMP authorizations in a significant way. It also injects more opportunity and dynamism into the ecosystem surrounding IT services for government agencies – which is great news for businesses across the government sector writ large.