Federal pilot program under FedRAMP achieves initial victories, granting approval to four entities
FedRAMP 20x Streamlines Federal Cloud Security Authorization
The Federal Risk and Authorization Management Program (FedRAMP) has embarked on a transformative journey to modernize, streamline, and accelerate the cloud security authorization process for cloud service providers (CSPs) working with the federal government. The FedRAMP 20x program, launched four months ago [1], aims to reduce bureaucratic hurdles, introduce greater automation, and make authorizations faster and more cost-effective [1][2].
One of the key innovations of FedRAMP 20x is the shift from a process-driven compliance model towards an outcome-focused security model. This change allows agencies to adopt innovative cloud services faster while maintaining robust data protections [2]. The program also focuses on a cloud-native security assessment process that prioritizes legitimate security outcomes [4].
The new approach, known as the 20x process, does not rely on self-attestation but validates configuration settings and gets to the ground truth [5]. It is designed to automate the review process based on actual configurations made while using a technology service. This process will provide a report that shows if a vendor has met 80% of the requirements when deployed on a FedRAMP authorized infrastructure like Amazon Web Services or Google Cloud Platform [5].
FedRAMP 20x is reducing unnecessary red tape and complexity inherent in the previous FedRAMP process to lower barriers to entry for CSPs [1]. It is also introducing automation to speed up the approval and authorization timeline substantially [1][2]. The program is enhancing scalability, flexibility, and repeatability of the authorization process so it better matches the pace of cloud innovation and agency needs [3].
The program is also improving vulnerability management by proposing a much faster timeline (3 days) to address critical cybersecurity vulnerabilities versus the prior standard of 30 days [5]. This response to evolving threats, especially automated AI attacks, is a significant step towards enhancing federal cloud security.
The initial successes of the 20x pilot come about a year after the Office of Management and Budget updated the policy governing FedRAMP. So far, the average agency authorization review queue remains under 15 cloud services with a typical review time of under five weeks [1]. Four vendors have received low authorizations under FedRAMP, with the first four vendors reaching authorization within the first month of the pilot [2].
FedRAMP is seeking public comments on the vulnerability management standards, with comments due Aug. 21. The program management office may finalize the standards in a matter of weeks or it may take a few months, depending on the comments received [6]. The FedRAMP program management office is accepting phase one pilot 20x applications through Aug. 19 [7].
In summary, FedRAMP 20x is a transformative program revamping federal cloud security authorization to be faster, more automated, less burdensome, and better aligned with today’s cybersecurity and innovation landscape while maintaining rigorous protections for sensitive federal data [1][2][3][4][5]. The program is expected to significantly improve the authorization process, offering CSPs more flexibility and scalable pathways for different risk levels, making the authorization process more transparent and collaborative, and applying industry best practices to maintain security integrity while reducing delays [1][2].
[1] https://www.fedscoop.com/fedramp-20x-program-aims-to-modernize-cloud-security-authorization-process/ [2] https://www.nextgov.com/it-modernization/2021/03/fedramp-20x-aims-accelerate-cloud-security-authorization-process/173387/ [3] https://www.fedscoop.com/fedramp-20x-program-aims-to-modernize-cloud-security-authorization-process/ [4] https://www.nextgov.com/it-modernization/2021/03/fedramp-20x-aims-accelerate-cloud-security-authorization-process/173387/ [5] https://www.fedscoop.com/fedramp-20x-program-aims-to-modernize-cloud-security-authorization-process/ [6] https://www.nextgov.com/it-modernization/2021/05/fedramp-releases-request-comments-vulnerability-management-standards/175776/ [7] https://www.nextgov.com/it-modernization/2021/05/fedramp-releases-request-comments-vulnerability-management-standards/175776/
The Federal workforce is about to witness a workforce reimagined with the implementation of FedRAMP 20x, as it transitions the federal cloud security authorization process from a process-driven approach to an outcome-focused security model. This transformation will prioritize data-and-cloud-computing, leveraging technology to automate reviews and ensure compliance with 80% of the requirements when deployed on FedRAMP-authorized infrastructure like Amazon Web Services or Google Cloud Platform.
